Bug 466732 - (CVE-2008-4474) CVE-2008-4474 freeradius: dialupadmin insecure temporary file usage
CVE-2008-4474 freeradius: dialupadmin insecure temporary file usage
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20081007,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-13 06:24 EDT by Tomas Hoger
Modified: 2016-03-04 07:19 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-26 03:18:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-10-13 06:24:19 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4474 to the following vulnerability:

freeradius-dialupadmin in freeradius 2.0.4 allows local users to overwrite
arbitrary files via a symlink attack on temporary files in (1) backup_radacct,
(2) clean_radacct, (3) monthly_tot_stats, (4) tot_stats, and (5)
truncate_radacct.

Upstream bugreport with the patch:
http://bugs.freeradius.org/show_bug.cgi?id=605

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496389
http://lists.debian.org/debian-devel/2008/08/msg00271.html
http://uvw.ru/report.lenny.txt
http://www.securityfocus.com/bid/30901
http://secunia.com/advisories/32170
Comment 1 Tomas Hoger 2008-10-13 06:29:14 EDT
This issue affects freeradius 2.x packages as shipped in Fedora 9 and Rawhide.  Prior to freeradius 2.0, dialupadmin subpackage was not created and shipped.  Some issues also affect dialupadmin versions as bundled with freeradius 1.x sources / source RPMs, but those were never distributed as official Fedora / Red Hat Enterprise Linux (binary) packages.

This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 3, 4, or 5.
Comment 4 John Dennis 2008-11-22 15:26:52 EST
New packages for F-9 and F-10 have been built and pushed which remove the dialupadmin subpackages. dialupadmin was never present in RHEL and will not be added to any future RHEL version.

From my perspective this can now be closed. Do you agree?
Comment 5 Tomas Hoger 2008-11-23 16:00:01 EST
We usually try to close only after updates actually make it to stable, so feel free to close once updates get pushed.

Just out of curiosity, may I ask why packages in different Fedora versions use different release numbers, even though they seem to come from the same sources (-3.fc11, -4.fc10, -5.fc9).  It seems that you actually bumped the release intentionally after syncing changes from F-X to F-(X-1).  Why's that?  It's not needed and can only break upgrade paths (-5.fc9 is newer than -4.fc10).
Comment 9 Tomas Hoger 2008-11-26 03:18:10 EST
dialupadmin subpackage was dropped from Fedora freeradius packages, updated freeradius packages pushed to stable via:

  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10309
  https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10392

Note You need to log in before you can comment on or make changes to this bug.