CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
5.1%
libqb is a library with the primary purpose of providing high-performance, reusable features for client-server architecture, such as logging, tracing, inter-process communication (IPC), and polling.
It was discovered that libqb used predictable filenames (under /dev/shm and /tmp) without O_EXCL.
A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application linked against libqb.
There is no known workaround at this time.
All libqb users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/libqb-1.0.5"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | sys-cluster/libqb | < 1.0.5 | UNKNOWN |
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
5.1%