Portage: Information disclosure Portage may disclose sensitive information when updating configuration files. portage December 13, 2007 December 13, 2007: 01 193589 local 2.1.3.11 2.1.3.11

Portage is the default Gentoo package management system.

Mike Frysinger reported that the "etc-update" utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.

A local attacker could access sensitive information when configuration files are being merged.

There is no known workaround at this time.

All Portage users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.3.11"
CVE-2007-6249 p-y p-y p-y