Bug 460628 (CVE-2008-4982)
Summary: | CVE-2008-4982 rkhunter: Insecure auxiliary /tmp file usage (symlink attack possible) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | devrim, kevin | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-11-06 17:29:20 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jan Lieskovsky
2008-08-29 08:26:59 UTC
The more real bug in debian seems to be: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496375 (the one you refer to is the mass bug filing against a bunch of packages tmp use). Debian seems to have fixed this by using mktemp for the debug file, but leaving it in /tmp/ Should we do likewise, or move the debug file to /var/run/ as well? Note that the current script does test the file for being a regular file, so the window for the attack is pretty small. Created attachment 315445 [details]
proposed patch using mktemp
Here's a proposed patch using mktemp.
rkhunter-1.3.2-5.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc9 rkhunter-1.3.2-5.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc8 rkhunter-1.3.2-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. rkhunter-1.3.2-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. CVE id CVE-2008-4982 was assigned to this flaw: rkhunter in rkhunter 1.3.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rkhunter-debug temporary file. NOTE: this is probably a different vulnerability than CVE-2005-1270. |