Bug 18785 - /tmp symlink vulnerability in gnorpm < 0.95 (bugtraq id 1761)
Summary: /tmp symlink vulnerability in gnorpm < 0.95 (bugtraq id 1761)
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gnorpm   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Matt Wilson
QA Contact: Dale Lovelace
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-10 08:36 UTC by p.jenner
Modified: 2007-03-27 03:36 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-10 08:36:36 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description p.jenner 2000-10-10 08:36:32 UTC
There is a /tmp symlink vulnerability in gnorpm 0.9 shipped in Red Hat
6.2.  From bugtraq id 1761:

<quote>
A vulnerabiity exists in versions prior to v0.95 of GnoRPM, the Gnome
graphical RPM manager, involving the way gnomerpm handles tmp files.
GnomeRPM creates temporary files in the world-writeable /tmp directory with
preditable filenames. It is possible for a malicious user to create
symbolic links in /tmp with guessed/predicted filenames, knowing in advance
that GnomeRPM will be run by root. When this happens, the files pointed to
by the correctly guessed symbolic links will be overwritten by GnomeRPM (as
root).
<unquote>

This vulnerability is fixed in gnorpm 0.95.1 and Red Hat should upgrade to
this version to fix the vulnerability.

I hope this helps,

Paul

Comment 1 p.jenner 2000-10-13 07:40:04 UTC
This has been closed by Red Hat errata RHSA-2000:072-05.


Note You need to log in before you can comment on or make changes to this bug.