Bug 460636 (CVE-2008-4937)
| Summary: | CVE-2008-4937 openoffice.org-core: Insecure temporary file usage | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | caolanm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-11-06 10:55:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The pending update at https://admin.fedoraproject.org/updates/openoffice.org-2.4.1-17.6.fc9 includes the openoffice.org-2.4.0.ooo93119.shell.echos.patch fix for this openoffice.org-2.4.1-17.6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. CVE id CVE-2008-4937 was assigned to this issue: senddoc in OpenOffice.org (OOo) 2.4.1 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/log.obr.##### temporary file. Affected Fedora 9 packages fixed via: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-7680 No other OpenOffice.org version we ship was affected by this problem (see comment #0). |
The version of the openoffice.org-core package as shipped with Fedora release of 9 (openoffice.org-core-2.4.1-17.4.fc9.*) is prone to the symlink attack. Affected file: /usr/lib/openoffice.org/program/senddoc Relevant part of the code: 1 #!/bin/sh 2 URI_ENCODE="`dirname $0`/uri-encode" 3 4 echo "$@" > /tmp/log.obr.$$ 5 echo "$#" >> /tmp/log.obr.$$ 6 Description: A malicious user could precreate a symbolic link to file /tmp/log.obr.$$ (pids are assigned in subsequent order and even it is not too hard to create a symlinks to all 64K pids). Subsequent run of the oo* command and sending the message as part of the mail would destroy / truncate the size of the synlink target to zero. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496367 Affected openoffice.org-core versions: This issue does not affect the versions of the openoffice.org-core package, as shipped with Red Hat Enterprise Linux 3, 4 and 5 and within Fedora releases of 8 and 10. This issue affects only version of the openoffice.org-core package, as shipped within the Fedora release of 9 (openoffice.org-core-2.4.1-17.4.fc9).