[Secure-testing-team] Bug#508940: CVE-2008-5379: Symlink attack
Steffen Joeris
steffen.joeris at skolelinux.de
Tue Dec 16 20:32:07 UTC 2008
Package: netdisco-mibs-installer
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for netdisco-mibs-installer.
CVE-2008-5379[0]:
| netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary
| files via a symlink attack on the /tmp/netdisco-mibs-0.6.tar.gz
| temporary file, related to the (1) netdisco-mibs-install and (2)
| netdisco-mibs-download scripts.
The best way is to use mktemp in shell scripts, which should work for
this package too.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5379
http://security-tracker.debian.net/tracker/CVE-2008-5379
More information about the Secure-testing-team
mailing list