Red Hat Bugzilla – Bug 502174
CVE-2009-1753 Coccinelle: Insecure /tmp file use
Last modified: 2015-08-21 19:05:46 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1753 to
the following vulnerability:
Coccinelle 0.1.7 allows local users to overwrite arbitrary files via a
symlink attack on an unspecified "result file."
Created attachment 345076 [details]
Patch extracted from Debian counterpart (coccinelle_0.1.7.deb-3.diff.gz )
Url the coccinelle_0.1.7.deb-3.diff.gz was retrieved from:
I'll push out an updated build now.
BTW, I think that patch is totally bogus. I'll have a
chat with upstream & Debian devs about this.
Yeah, from quick look at the patch, looks like it only "comments out" the
relevant part. Need to admit, don't understand the *.ml syntax :(.
I've chatted with a Debian developer, and we agree
that the patch is 'correct', in that it fixes the
vulnerability, by just chopping out that bit of
So I'm going to go with the patch, and let upstream
come up with a real fix that includes the functionality
(saving intermediate files in /tmp in a safe way).
coccinelle-0.1.8-1.fc11.3 has been submitted as an update for Fedora 11.
I've requested that this gets pushed straight into
the F11 builds.
coccinelle-0.1.8-1.fc10.3 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.