Bug 669851 - (CVE-2010-4337) CVE-2010-4337 gnash: symlink attack via configure script
CVE-2010-4337 gnash: symlink attack via configure script
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 669852
  Show dependency treegraph
Reported: 2011-01-14 22:05 EST by Vincent Danen
Modified: 2015-08-19 16:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 605419 None None None Never

  None (edit)
Description Vincent Danen 2011-01-14 22:05:36 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4337 to
the following vulnerability:

Name: CVE-2010-4337
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4337
Assigned: 20101130
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605419
Reference: BID:45102
Reference: URL: http://www.securityfocus.com/bid/45102
Reference: OSVDB:69533
Reference: URL: http://www.osvdb.org/69533
Reference: SECUNIA:42416
Reference: URL: http://secunia.com/advisories/42416

The configure script in gnash 0.8.8 allows local users to overwrite
arbitrary files via a symlink attack on the (1)
/tmp/gnash-configure-errors.$$, (2) /tmp/gnash-configure-warnings.$$,
or (3) /tmp/gnash-configure-recommended.$$ files.
Comment 1 Vincent Danen 2011-01-14 22:06:44 EST
Created gnash tracking bugs for this issue

Affects: fedora-all [bug 669852]
Comment 2 Kevin Kofler 2011-01-15 05:13:51 EST
This doesn't affect our binary packages at all, does it? Only the SRPMs are affected, when people rebuild them in a live system or an insecure chroot.
Comment 3 Vincent Danen 2011-01-15 11:28:05 EST
That's exactly right.  So I wouldn't go out of the way to fix this, but would fix the next time gnash is built.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.