Red Hat Bugzilla – Bug 460636
CVE-2008-4937 openoffice.org-core: Insecure temporary file usage
Last modified: 2008-11-06 05:55:18 EST
The version of the openoffice.org-core package as shipped with Fedora
release of 9 (openoffice.org-core-2.4.1-17.4.fc9.*) is prone to the symlink
Affected file: /usr/lib/openoffice.org/program/senddoc
Relevant part of the code:
2 URI_ENCODE="`dirname $0`/uri-encode"
4 echo "$@" > /tmp/log.obr.$$
5 echo "$#" >> /tmp/log.obr.$$
A malicious user could precreate a symbolic link to file /tmp/log.obr.$$
(pids are assigned in subsequent order and even it is not too hard to create
a symlinks to all 64K pids). Subsequent run of the oo* command and sending
the message as part of the mail would destroy / truncate the size of the
synlink target to zero.
Affected openoffice.org-core versions:
This issue does not affect the versions of the openoffice.org-core package,
as shipped with Red Hat Enterprise Linux 3, 4 and 5 and within Fedora
releases of 8 and 10.
This issue affects only version of the openoffice.org-core package,
as shipped within the Fedora release of 9 (openoffice.org-core-2.4.1-17.4.fc9).
The pending update at
includes the openoffice.org-2.4.0.ooo93119.shell.echos.patch fix for this
openoffice.org-2.4.1-17.6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-4937 was assigned to this issue:
senddoc in OpenOffice.org (OOo) 2.4.1 allows local users to overwrite
arbitrary files via a symlink attack on a /tmp/log.obr.##### temporary
Affected Fedora 9 packages fixed via:
No other OpenOffice.org version we ship was affected by this problem (see comment #0).