This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsaid="201904-05">
<title>BURP: Root privilege escalation</title>
<synopsis>A vulnerability was discovered in Gentoo's ebuild for BURP which
could lead to root privilege escalation.
</synopsis>
<producttype="ebuild">burp</product>
<announced>2019-04-02</announced>
<revisedcount="1">2019-04-02</revised>
<bug>641842</bug>
<access>local</access>
<affected>
<packagename="app-backup/burp"auto="yes"arch="*">
<unaffectedrange="ge">2.1.32-r1</unaffected>
<vulnerablerange="lt">2.1.32-r1</vulnerable>
</package>
</affected>
<background>
<p>A network backup and restore program.</p>
</background>
<description>
<p>It was discovered that Gentoo’s BURP ebuild does not properly set
permissions or place the pid file in a safe directory. Additionally, the
first set of patches did not completely address this. As such, a
revision has been made available that addresses all concerns of the
initial report.
</p>
</description>
<impacttype="normal">
<p>A local attacker could escalate privileges.</p>
</impact>
<workaround>
<p>Users should ensure the proper permissions are set as discussed in the
referenced bugs.
</p>
</workaround>
<resolution>
<p>All BURP users should upgrade to the latest version:</p>
