Bug 460636 - (CVE-2008-4937) CVE-2008-4937 openoffice.org-core: Insecure temporary file usage
CVE-2008-4937 openoffice.org-core: Insecure temporary file usage
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080828,public=20080824,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-29 07:14 EDT by Jan Lieskovsky
Modified: 2008-11-06 05:55 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-06 05:55:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-08-29 07:14:30 EDT
The version of the openoffice.org-core package as shipped with Fedora
release of 9 (openoffice.org-core-2.4.1-17.4.fc9.*) is prone to the symlink
attack. 

Affected file: /usr/lib/openoffice.org/program/senddoc

Relevant part of the code:

      1 #!/bin/sh
      2 URI_ENCODE="`dirname $0`/uri-encode"
      3 
      4 echo "$@" > /tmp/log.obr.$$
      5 echo "$#" >> /tmp/log.obr.$$
      6 

Description:

A malicious user could precreate a symbolic link to file /tmp/log.obr.$$
(pids are assigned in subsequent order and even it is not too hard to create
a symlinks to all 64K pids). Subsequent run of the oo* command and sending
the message as part of the mail would destroy / truncate the size of the
synlink target to zero. 

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496367

Affected openoffice.org-core versions:

This issue does not affect the versions of the openoffice.org-core package,
as shipped with Red Hat Enterprise Linux 3, 4 and 5 and within Fedora
releases of 8 and 10.

This issue affects only version of the openoffice.org-core package, 
as shipped within the Fedora release of 9 (openoffice.org-core-2.4.1-17.4.fc9).
Comment 1 Caolan McNamara 2008-08-29 07:24:01 EDT
The pending update at 
https://admin.fedoraproject.org/updates/openoffice.org-2.4.1-17.6.fc9
includes the openoffice.org-2.4.0.ooo93119.shell.echos.patch fix for this
Comment 2 Fedora Update System 2008-09-10 02:39:21 EDT
openoffice.org-2.4.1-17.6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Tomas Hoger 2008-11-06 05:54:00 EST
CVE id CVE-2008-4937 was assigned to this issue:

senddoc in OpenOffice.org (OOo) 2.4.1 allows local users to overwrite
arbitrary files via a symlink attack on a /tmp/log.obr.##### temporary
file.
Comment 4 Tomas Hoger 2008-11-06 05:55:18 EST
Affected Fedora 9 packages fixed via:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-7680

No other OpenOffice.org version we ship was affected by this problem (see comment #0).

Note You need to log in before you can comment on or make changes to this bug.