pmake: Insecure temporary file usage pmake uses temporary files in an insecure manner, allowing for symlink attacks. pmake 2013-10-28 2013-10-28 367891 local 1.111.3.1 1.111.3.1

pmake is Debian’s version of NetBSD’s make, a tool to build programs in parallel.

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend[PID]), and without using $TMPDIR.

The make include files allow local users to overwrite arbitrary files via a symlink attack.

There is no known workaround at this time.

All pmake users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/pmake-1.111.3.1" CVE-2011-1920 craig craig