Red Hat Bugzilla – Bug 472117
CVE-2008-5153 moodle insecure temporary file use
Last modified: 2016-03-04 06:11:08 EST
spell-check-logic.cgi in Moodle 1.8.2 allows local users to overwrite
arbitrary files via a symlink attack on the (1)
/tmp/spell-check-debug.log, (2) /tmp/spell-check-before, or (3)
/tmp/spell-check-after temporary file.
Created moodle tracking bugs for this issue
CVE-2008-5153 Affects: F8 [bug #472118]
CVE-2008-5153 Affects: F9 [bug #472119]
CVE-2008-5153 Affects: Fdevel [bug #472120]
I see that this affects the current versions, as well. I don't see a proposed fix anywhere. I also don't see this reported upstream. Do we have a contact at Debian for this report? Would Dmitry Oboukhov be the right person?
I failed to find any Debian bug for this, these are Debian moodle bugs:
If you have good contacts upstream, I may be good idea to double-check with them to make sure they are aware.
No contacts established, filed upstream bug:
Fixed in rawhide. Coming to the other branches.
moodle-1.9.3-5.fc10 has been submitted as an update for Fedora 10.
moodle-1.9.3-5.fc9 has been submitted as an update for Fedora 9.
moodle-1.9.3-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
moodle-1.9.3-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.