Arch Linux Security Advisory ASA-202011-21 ========================================== Severity: Medium Date : 2020-11-19 CVE-ID : CVE-2020-28407 Package : swtpm Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1282 Summary ======= The package swtpm before version 0.5.1-1 is vulnerable to privilege escalation. Resolution ========== Upgrade to 0.5.1-1. # pacman -Syu "swtpm>=0.5.1-1" The problem has been fixed upstream in version 0.5.1. Workaround ========== None. Description =========== A potential symbolic link following issue has been found in swtpm before 0.5.1. Impact ====== A malicious file might trick the program to overwrite files and escalate priviledges. References ========== https://github.com/stefanberger/swtpm/compare/v0.5.0...v0.5.1 https://github.com/stefanberger/swtpm/commit/e9c9778d5c35ef077aed1ec6601b47a... https://github.com/stefanberger/swtpm/commit/4cc42c0ba3632a98ef381bda68d0a4e... https://github.com/stefanberger/swtpm/commit/634b6294000fb785b9f12e13b852c18... https://github.com/stefanberger/swtpm/commit/a03cbadd087b2602412823f254ac75a... https://github.com/stefanberger/swtpm/commit/526300236dc8a7664acdc265b6fc5d7... https://github.com/stefanberger/swtpm/commit/e621b21d4c31029ebe794350fcff2bc... https://security.archlinux.org/CVE-2020-28407