Bug 601401 (CVE-2010-2053)

Summary: CVE-2010-2053 emesene: symlink vulnerability allows overwriting arbitrary files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: itamar, metherid, rosset.filipe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-28 21:00:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 601402    
Bug Blocks:    

Description Vincent Danen 2010-06-07 21:09:58 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2053 to
the following vulnerability:

Name: CVE-2010-2053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2053
Assigned: 20100525
Reference: MLIST:[oss-security] 20100529 Fwd: emesene preditable temporary filename
Reference: URL: http://marc.info/?l=oss-security&m=127514641525366&w=2
Reference: CONFIRM: http://forum.emesene.org/index.php?topic=3441.0
Reference: CONFIRM: http://www.emesene.org/
Reference: OSVDB:65018
Reference: URL: http://osvdb.org/65018
Reference: SECUNIA:39945
Reference: URL: http://secunia.com/advisories/39945
Reference: XF:emesene-emsnpic-symlink(59045)
Reference: URL: http://xforce.iss.net/xforce/xfdb/59045

emesenelib/ProfileManager.py in emesene before 1.6.2 allows local
users to overwrite arbitrary files via a symlink attack on the emsnpic
temporary file.
Comment 1 Vincent Danen 2010-06-07 21:12:24 UTC 
Created emesene tracking bugs for this issue

Affects: fedora-all [bug 601402]
Comment 2 Fedora Update System 2010-06-08 09:31:14 UTC 
emesene-1.6.2-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/emesene-1.6.2-1.fc12
Comment 3 Fedora Update System 2010-06-08 09:31:15 UTC 
emesene-1.6.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/emesene-1.6.2-1.fc13
Comment 4 Fedora Update System 2010-06-08 09:32:52 UTC 
emesene-1.6.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/emesene-1.6.2-1.fc11
Comment 5 Fedora Update System 2010-06-10 19:14:19 UTC 
emesene-1.6.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-06-10 19:17:28 UTC 
emesene-1.6.2-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-06-10 19:22:23 UTC 
emesene-1.6.2-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.