Bug 1076049 (CVE-2014-2387) - CVE-2014-2387 pen: insecure temporary file use flaws
Summary: CVE-2014-2387 pen: insecure temporary file use flaws
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2014-2387
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1076050 1076051
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-13 12:37 UTC by Murray McAllister
Modified: 2019-09-29 13:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:31:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Murray McAllister 2014-03-13 12:37:24 UTC 
Steve Kemp reported two temporary file issues in pen, a load balancer for "simple" TCP based protocols such as HTTP and SMTP.

The first is the use of "/tmp/webfile.html" when requesting web stats.

The second is the use of "/tmp/penctl.cgi" in the penctl.cgi CGI script.

A local attacker could use these flaws to perform symbolic link attacks.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370

CVE request: http://seclists.org/oss-sec/2014/q1/566
Comment 1 Murray McAllister 2014-03-13 12:38:54 UTC 
Created pen tracking bugs for this issue:

Affects: fedora-all [bug 1076050]
Affects: epel-all [bug 1076051]
Comment 2 Murray McAllister 2014-03-14 01:48:37 UTC 
MITRE assigned CVE-2014-2387 to these issues:

http://seclists.org/oss-sec/2014/q1/572
Comment 4 Product Security DevOps Team 2019-06-08 02:31:57 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.