Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 152810 - CAN-2004-0966 GNU gettext Insecure Temporary File Creation Vulnerability
Summary: CAN-2004-0966 GNU gettext Insecure Temporary File Creation Vulnerability
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://secunia.com/advisories/12774/
Whiteboard: LEGACY
Depends On:
TreeView+ depends on / blocked
Reported: 2004-10-11 21:24 UTC by David Lawrence
Modified: 2007-04-18 17:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:28:15 UTC
A vulnerability has been reported in gettext, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The vulnerability is caused due to temporary files being created insecurely.
This can be exploited via symlink attacks to overwrite or create arbitrary files
with the privileges of the user running gettext.


(Gentoo) http://bugs.gentoo.org/show_bug.cgi?id=66355

------- Additional Comments From simon@nzservers.com 2004-10-14 09:41:19 ----

I don't think 7.3 is vulnerable to this. The two patches provided on the 
gentoo bugzilla don't even remotely match any of the code in gettest-0.11.1. 
The first patch for misc/autopoint.in references a file introduced in a later 
version. The second patch fixes a routine that sets the PATH_SEPARATOR. This 
routine doesn't appear to exist in this version. 
- Si 

------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-05 05:51:20 ----

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0966

Red Hat Buzgilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323

------- Additional Comments From pekkas@netcore.fi 2004-12-20 10:57:13 ----

From Red Hat's bugzilla, Mark Cox said:

"Temporary file vulnerability in autopoint, gettextize scripts.  Patch
attached.  These issues don't affect the scripts shipped with gettext
in RHEL2.1, RHEL3."

This is not definitive -- RHL9 version might bear checking against RHEL3, but if
this is true, is FC1 the only affected platform (if even that is) ?

------- Additional Comments From pekkas@netcore.fi 2005-02-15 06:43:54 ----

According to the advisory, only 1.14 and up are affected.  RHL73, RHL9 and FC1
are all older than this so closing (I hope this is the right resolution).

------- Additional Comments From dom@earth.li 2005-02-15 13:52:11 ----

Which advisory? Had a quick scan through and couldn't find anything definitive.

------- Additional Comments From pekkas@netcore.fi 2005-02-15 19:24:58 ----

In the CVE, it says:

"The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14
and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other
operating systems, allows local users to overwrite files via a symlink attack on
temporary files."

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 also gives hints
towards that direction.

------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2151 at https://bugzilla.fedora.us/
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Matthew Miller 2005-04-12 05:15:24 UTC
Note that bug #136323 for FC2 (apparently impacted) is still open.

Note You need to log in before you can comment on or make changes to this bug.