466732 – (CVE-2008-4474) CVE-2008-4474 freeradius: dialupadmin insecure temporary file usage

Bug 466732 (CVE-2008-4474) - CVE-2008-4474 freeradius: dialupadmin insecure temporary file usage

Summary: CVE-2008-4474 freeradius: dialupadmin insecure temporary file usage

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2008-4474
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-13 10:24 UTC by Tomas Hoger
Modified:	2021-11-12 19:53 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-26 08:18:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2008-10-13 10:24:19 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4474 to the following vulnerability:

freeradius-dialupadmin in freeradius 2.0.4 allows local users to overwrite
arbitrary files via a symlink attack on temporary files in (1) backup_radacct,
(2) clean_radacct, (3) monthly_tot_stats, (4) tot_stats, and (5)
truncate_radacct.

Upstream bugreport with the patch:
http://bugs.freeradius.org/show_bug.cgi?id=605

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496389
http://lists.debian.org/debian-devel/2008/08/msg00271.html
http://uvw.ru/report.lenny.txt
http://www.securityfocus.com/bid/30901
http://secunia.com/advisories/32170

Comment 1 Tomas Hoger 2008-10-13 10:29:14 UTC

This issue affects freeradius 2.x packages as shipped in Fedora 9 and Rawhide.  Prior to freeradius 2.0, dialupadmin subpackage was not created and shipped.  Some issues also affect dialupadmin versions as bundled with freeradius 1.x sources / source RPMs, but those were never distributed as official Fedora / Red Hat Enterprise Linux (binary) packages.

This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Comment 4 John Dennis 2008-11-22 20:26:52 UTC

New packages for F-9 and F-10 have been built and pushed which remove the dialupadmin subpackages. dialupadmin was never present in RHEL and will not be added to any future RHEL version.

From my perspective this can now be closed. Do you agree?

Comment 5 Tomas Hoger 2008-11-23 21:00:01 UTC

We usually try to close only after updates actually make it to stable, so feel free to close once updates get pushed.

Just out of curiosity, may I ask why packages in different Fedora versions use different release numbers, even though they seem to come from the same sources (-3.fc11, -4.fc10, -5.fc9).  It seems that you actually bumped the release intentionally after syncing changes from F-X to F-(X-1).  Why's that?  It's not needed and can only break upgrade paths (-5.fc9 is newer than -4.fc10).

Comment 9 Tomas Hoger 2008-11-26 08:18:10 UTC

dialupadmin subpackage was dropped from Fedora freeradius packages, updated freeradius packages pushed to stable via:

  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10309
  https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10392

Note You need to log in before you can comment on or make changes to this bug.