Red Hat Bugzilla – Bug 462326
CVE-2008-4108 python: Generic FAQ wizard moving tool insecure auxiliary /tmp file usage (symlink attack possible)
Last modified: 2009-03-13 06:00:12 EDT
Description of problem:
A security flaw was discovered in the Python generic FAQ wizard moving
Relevant part of the code:
28 cut_n_pad $1 2 suffix1
29 cut_n_pad $2 1 prefix2
30 cut_n_pad $2 2 suffix2
An attacker could in advance create a symbolic link pointing to tmpXXXXX.tmp
(the output produced by $RANDOM is only 5 digits long), then run the Python
generic FAQ wizard moving tool which would allow him to erase / truncate the target of the symbolic link to zero size.
This issue affects all versions of the Python package, as shipped with
Red Hat Enteprise Linux 4, 5 and all versions of the Python package,
as shipped within Fedora releases of 8, 9 and 10.
(In reply to comment #1)
> This issue affects all versions of the Python package, as shipped with
> Red Hat Enteprise Linux 4, 5 and all versions of the Python package,
> as shipped within Fedora releases of 8, 9 and 10.
Affected script is part of python source RPM for those Red Hat Enterprise Linux and Fedora versions, but it is not shipped in any binary RPM, hence there's nothing to fix. Closing.