Robert Vogelgesang reported that dhcpd init script as used in dhcp packages in Red Hat Enterprise Linux 3 does not create temporary files safely inside configtest() function. Temporary file created by the script has predictable name (using script's process id), allowing local attacker to perform a symlink attack. When init script is called with configtest, restart or reload argument, arbitrary file may be overwritten by the output of 'dhcpd -t' (dhcpd.conf syntax check).
This issue did not affect dhcp packages in Red Hat Enterprise Linux 4 and 5, and current Fedora versions (9, 10, 11).
Opening bug
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1154 https://rhn.redhat.com/errata/RHSA-2009-1154.html
MITRE's CVE-2009-1893 entry: The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command. References: ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1893 http://www.redhat.com/support/errata/RHSA-2009-1154.html http://www.securityfocus.com/bid/35670 http://securitytracker.com/id?1022554 http://secunia.com/advisories/35831 http://xforce.iss.net/xforce/xfdb/51718