It was reported[1] lynis, a security auditing tool, uses a predictable filename in /tmp/. As lynis must be run as root, a local attacker could possibly use this flaw to perform a symbolic link attack and escalate their privileges to root. The report may be referring to the following: 39 if [ "${OS}" = "AIX" ]; then 40 TMPFILE=/tmp/lynis.$$ Testing on Fedora 20 revealed /tmp/ffiYFc1nZ was used across multiple runs; however, this name does not appear in the source and may be related to something else. [1] http://seclists.org/fulldisclosure/2014/Jun/21 CVE request: http://www.openwall.com/lists/oss-security/2014/06/05/14
Created lynis tracking bugs for this issue: Affects: fedora-all [bug 1105000] Affects: epel-6 [bug 1105001]
Sorry for the useless bug. Filed trackers in case the maintainers know more...
MITRE assigned CVE-2014-3982 to the following issue: if [ "${OS}" = "AIX" ]; then TMPFILE=/tmp/lynis.$$ This should not affect Linux. MITRE also assigned CVE-2014-3986 to the following which does affect Linux: TMPFILE=`mktemp /tmp/lynis.XXXXXX` ... find ${I} -name "*.conf" -print >> ${TMPFILE}.unsorted This is the issue the original report (http://seclists.org/fulldisclosure/2014/Jun/21) refers to. References: http://www.openwall.com/lists/oss-security/2014/06/06/12 http://www.openwall.com/lists/oss-security/2014/06/07/3
These issues were fixed upstream in version 1.5.5: http://linux-audit.com/lynis-security-notice-154-and-older/
lynis-1.5.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
lynis-1.5.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.