thr3ads.net - Secure testing team - [Secure-testing-team] Bug#508940: CVE-2008-5379: Symlink attack [Dec 2008]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2008-Dec-16 20:32 UTC

[Secure-testing-team] Bug#508940: CVE-2008-5379: Symlink attack

Package: netdisco-mibs-installer
Severity: grave
Tags: security
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for netdisco-mibs-installer.

CVE-2008-5379[0]:
| netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary
| files via a symlink attack on the /tmp/netdisco-mibs-0.6.tar.gz
| temporary file, related to the (1) netdisco-mibs-install and (2)
| netdisco-mibs-download scripts.

The best way is to use mktemp in shell scripts, which should work for
this package too.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5379
    http://security-tracker.debian.net/tracker/CVE-2008-5379

Secure testing team - Dec 2008 - Bug#508940: CVE-2008-5379: Symlink attack

[Secure-testing-team] Bug#508940: CVE-2008-5379: Symlink attack