Steve Kemp discovered the _rl_tropen() function in readline, a set of libraries to handle command lines, insecurely handled a temporary file. This could allow a local attacker to perform symbolic link attacks. As noted in the CVE request, _rl_tropen() is typically only called during debugging. CVE request: http://seclists.org/oss-sec/2014/q1/579
Created readline tracking bugs for this issue: Affects: fedora-all [bug 1077026]
Created mingw-readline tracking bugs for this issue: Affects: fedora-all [bug 1077035]
MITRE assigned CVE-2014-2524 to this issue: http://seclists.org/oss-sec/2014/q1/588
Fixed upstream in 6.3 patch 3 by making the code only get compiled in when building with -DDEBUG. http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html http://git.savannah.gnu.org/cgit/readline.git/commit/?id=8408f86 ftp://ftp.cwru.edu/pub/bash/readline-6.3-patches/readline63-003
Statement: This issue is only exposed via readline's debugging/tracing code and is not used by readline or any other application in Red Hat Enterprise Linux. The tracing functions are defined in a private header file and are only meant for the readline library's internal use. In general use, there is no exposure of this insecure temporary file issue, and while this does affect the versions of readline as shipped with Red Hat Enterprise Linux 5, 6 and 7 it is not currently planned to be addressed in future updates. Red Hat Product Security has rated this issue as having Low security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.