Gentoo has released updated packages to correct a vulnerability identified in Perl, Qt-UnixODBC and CMake. This flaw is due to an error where some packages may introduce insecure paths into the list of directories that are searched for libraries at runtime, which could be exploited by a member of the "portage" group to create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent executable, potentially resulting in privilege escalation.

Affected Products

dev-lang/perl versions prior to 5.8.7-r1
dev-db/qt-unixodbc versions prior to 3.3.4-r1
dev-util/cmake versions prior to 2.2.0-r1

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose dev-lang/perl
# emerge --ask --oneshot --verbose " >=dev-db/qt-unixodbc-3.3.4-r1"
# emerge --ask --oneshot --verbose dev-util/cmake

References

http://www.vupen.com/english/advisories/2005/2119
http://www.gentoo.org/security/en/glsa/glsa-200510-14.xml

Changelog

2005-10-17 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.