Bug 4118

Summary: Programs with possible /tmp symlink exploits
Product: [Retired] Red Hat Linux Reporter: tf
Component: manAssignee: Cristian Gafton <gafton>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-02-15 22:14:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description tf 1999-07-19 16:14:46 UTC
Following mail just went to the debian folks:

Dear Nerds,

maybe you remember my /tmp symlink attack posting to bugtraq
some time
ago. Some closer investigation revealed that in SuSE Linux
6.1 (a pity we
are not allowed to use debian at our site, but anyway...),
the following
programs were susceptible to symlink attacks; of course, the
list most
probably is not complete, but it contains the most
frequently used
programs showing bad behaviour:

Exploitable Program             typical file

man                             /tmp/zman09639aaa
all the rcs stuff               /tmp/T0a10328
netscape                        /tmp/jzip378496230054DAE
mktexpk                         /tmp/mt20385.tmp/mt20385.out
tkdesksh                        /tmp/17780aaa
pine                            /tmp/pine_prt023368
kdmrc                           /tmp/T0a23848
pvmd3                           /tmp/pvml.2346

Don't know yet where these calls did come from; some might

?  sh -c mount /dev/fd0 2>/tmp/mnt931444692
?  /usr/bin/vi /tmp/snd.4920
?  cp query /tmp
Furthermore, I think cflow also had problems on my private