Python 'move-faqwiz.sh' Uses Unsafe Temporary Files That Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1020904
|
|
SecurityTracker URL: http://securitytracker.com/id?1020904
|
|
CVE Reference: CVE-2008-4108
(Links to External Site)
|
Date: Sep 22 2008
|
Impact: User access via local system
|
Version(s): 2.5.2 and prior versions
|
Description: A vulnerability was reported in Python in the 'move-faqwiz.sh' script. A local user can obtain elevated privileges on the target system.
The Python generic FAQ wizard moving tool ('Tools/faqwiz/move-faqwiz.sh') creates temporary files in an unsafe manner. A local user
can create a symbolic link (symlink) from a critical file on the system to the temporary file. Then, when the script is executed
by the target user, the symlinked file will be created or overwritten with the privileges of the target user.
Jan Hauke Rahm
reported this vulnerability.
|
Impact: A local user can obtain elevated privileges on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: python.org/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Jan Lieskovsky <jlieskov@redhat.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 2008-09-15 12:51:59
From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] CVE Request (python)
|
Hello Steve,
could you please allocate a CVE id for the
following Python generic FAQ wizard moving tool
issue:
References:
https://bugzilla.redhat.com/show_bug.cgi?id=462326
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498899
Impact: Symbolic link attack possibility
Affected versions: python-2.3.4-*+
Thank you in advance
Kind regards
Jan iankko Lieskovsky
RH Security Response Team
|
|
