Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5374 to the following vulnerability: bash-doc 3.2 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/cb#####.? temporary file, related to the (1) aliasconv.sh, (2) aliasconv.bash, and (3) cshtobash scripts. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5374 http://lists.debian.org/debian-devel/2008/08/msg00347.html http://uvw.ru/report.sid.txt Affected files: /usr/share/doc/bash-3.1/misc/aliasconv.bash /usr/share/doc/bash-3.1/misc/aliasconv.sh /usr/share/doc/bash-3.1/misc/cshtobash Sample affected code: 10 trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15 11 12 T=$'\t' 13 14 cat << \EOF >/tmp/cb$$.1 36 $BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \ 37 -e 's/\$term/\$TERM/g' \ Problem: A malicious user could pre-create symbolic link with target to any system file. Subsequent running of above scripts would truncate its content. If these files does not needed to be shipped within the bash package, remove them, or apply fix via 'mktemp'.
This issue affects all versions of the bash package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. This issue affects all versions of the bash package, as shipped with Fedora releases 8, 9 and 10.
Statement: This issue has been addressed in Red Hat Enterprise Linux 4 via RHSA-2011:0261 advisory. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1073 advisory.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0261 https://rhn.redhat.com/errata/RHSA-2011-0261.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1073 https://rhn.redhat.com/errata/RHSA-2011-1073.html