Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

To: 496410@bugs.debian.org
Subject: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
From: Nico Golde <nion@debian.org>
Date: Fri, 17 Oct 2008 14:23:11 +0200
Message-id: <[🔎] 20081017122311.GA2420@ngolde.de>
Reply-to: Nico Golde <nion@debian.org>, 496410@bugs.debian.org

Hi,
the following two additional CVE ids have been assigned to 
symlink issues in cman & redhat-cluster:
CVE-2008-4579[0]:
| The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
| fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
| allows local users to append to arbitrary files via a symlink attack
| on the apclog temporary file.

CVE-2008-4580[1]:
| fence_manual in fence allows local users to modify arbitrary files via
| a symlink attack on the fence_manual.fifo temporary file.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4579
    http://security-tracker.debian.net/tracker/CVE-2008-4579
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4580
    http://security-tracker.debian.net/tracker/CVE-2008-4580

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpCmBSFVznQW.pgp
Description: PGP signature

Reply to:

Prev by Date: Bug#497623: linux-image-2.6.26: randomly crashes without traces
Next by Date: Processed: tagging 445987
Previous by thread: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Next by thread: Bug#494984: Bug #494984 Critical temperature reached on the EeePC models 701, 900
Index(es):
- Date
- Thread