Bug 152810 - CAN-2004-0966 GNU gettext Insecure Temporary File Creation Vulnerability
CAN-2004-0966 GNU gettext Insecure Temporary File Creation Vulnerability
Status: CLOSED NOTABUG
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://secunia.com/advisories/12774/
LEGACY
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-11 17:24 EDT by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:15 EST
A vulnerability has been reported in gettext, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The vulnerability is caused due to temporary files being created insecurely.
This can be exploited via symlink attacks to overwrite or create arbitrary files
with the privileges of the user running gettext.

advisories:
http://secunia.com/advisories/12774/
http://secunia.com/advisories/12775/
http://www.gentoo.org/security/en/glsa/glsa-200410-10.xml

Bugzilla:
(Gentoo) http://bugs.gentoo.org/show_bug.cgi?id=66355



------- Additional Comments From simon@nzservers.com 2004-10-14 09:41:19 ----

I don't think 7.3 is vulnerable to this. The two patches provided on the 
gentoo bugzilla don't even remotely match any of the code in gettest-0.11.1. 
The first patch for misc/autopoint.in references a file introduced in a later 
version. The second patch fixes a routine that sets the PATH_SEPARATOR. This 
routine doesn't appear to exist in this version. 
 
- Si 



------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-05 05:51:20 ----

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0966

Red Hat Buzgilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323



------- Additional Comments From pekkas@netcore.fi 2004-12-20 10:57:13 ----

From Red Hat's bugzilla, Mark Cox said:

"Temporary file vulnerability in autopoint, gettextize scripts.  Patch
attached.  These issues don't affect the scripts shipped with gettext
in RHEL2.1, RHEL3."

This is not definitive -- RHL9 version might bear checking against RHEL3, but if
this is true, is FC1 the only affected platform (if even that is) ?




------- Additional Comments From pekkas@netcore.fi 2005-02-15 06:43:54 ----

According to the advisory, only 1.14 and up are affected.  RHL73, RHL9 and FC1
are all older than this so closing (I hope this is the right resolution).



------- Additional Comments From dom@earth.li 2005-02-15 13:52:11 ----

Which advisory? Had a quick scan through and couldn't find anything definitive.



------- Additional Comments From pekkas@netcore.fi 2005-02-15 19:24:58 ----

In the CVE, it says:

"The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14
and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other
operating systems, allows local users to overwrite files via a symlink attack on
temporary files."

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 also gives hints
towards that direction.





------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2151 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2151
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-04-12 01:15:24 EDT
Note that bug #136323 for FC2 (apparently impacted) is still open.

Note You need to log in before you can comment on or make changes to this bug.