Source: libqb Version: 1.0.3-2 Severity: grave Tags: patch upstream security Justification: user security hole Forwarded: https://github.com/ClusterLabs/libqb/issues/338 Control: found -1 0.11.1-2
Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (for example in case of USBGuard with names like /dev/shm/qb-usbguard-request-7096-835-12-data). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).