Bug 148802

Summary: CAN-2004-1382 insecure temporary file usage
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20041024
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-15 20:44:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-02-15 18:40:06 UTC 
*** This bug has been split off bug 148800 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.02.15
13:25 -------

The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite
arbitrary files via a symlink attack on temporary files, a different
vulnerability than CAN-2004-0968.

Please see this url for more information:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278278
Comment 1 Josh Bressers 2005-02-15 18:41:04 UTC 
This issue should also affect FC2
Comment 2 Jakub Jelinek 2005-02-15 20:42:48 UTC 
This is fixed in 2.3.3-71 and above for FC3/RHEL4, since 2.3.3-27.1
in FC2, since 2.3.2-95.29 in RHEL3 (i.e. already in U4) and newly in
2.2.4-32.19 for AS2.1.
In all cases glibcbug script has been removed and catchsegv fixed.

This means the only distro that has the fix not yet released as part of an errata
is AS2.1, which is covered by #140068.
Comment 3 Jakub Jelinek 2005-02-15 20:44:22 UTC 

*** This bug has been marked as a duplicate of 140068 ***

*** This bug has been marked as a duplicate of 140068 ***