diff options
| author | nectar <nectar@FreeBSD.org> | 2004-02-14 05:07:05 +0800 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2004-02-14 05:07:05 +0800 |
| commit | 8357b63caa67d2692f4fea08c4492c759bd3a700 (patch) | |
| tree | 0f72419dcabb16ec456086bed717aea8977d0c3e | |
| parent | 60829a08e39754b6ba1e61b493f0d5e976de0893 (diff) | |
| download | freebsd-ports-gnome-8357b63caa67d2692f4fea08c4492c759bd3a700.tar.gz freebsd-ports-gnome-8357b63caa67d2692f4fea08c4492c759bd3a700.tar.zst freebsd-ports-gnome-8357b63caa67d2692f4fea08c4492c759bd3a700.zip | |
Note insecure temporary file/directory handling in libtool.
Reported by: eik
| -rw-r--r-- | security/vuxml/vuln.xml | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index f45843e12ce1..6a7da82abdd9 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -32,6 +32,41 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. "http://www.vuxml.org/dtd/vuxml-1/vuxml-10.dtd"> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="cacaffbc-5e64-11d8-80e3-0020ed76ef5a"> + <topic>GNU libtool insecure temporary file handling</topic> + <affects> + <package> + <name>libtool</name> + <range><ge>1.3</ge><lt>1.3.5_2</lt></range> + <range><ge>1.4</ge><lt>1.4.3_3</lt></range> + <range><ge>1.5</ge><lt>1.5.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>libtool attempts to create a temporary directory in + which to write scratch files needed during processing. A + malicious user may create a symlink and then manipulate + the directory so as to write to files to which she normally + has no permissions.</p> + <p>This has been reported as a ``symlink vulnerability'', + although I do not think that is an accurate description.</p> + <p>This vulnerability could possibly be used on a multi-user + system to gain elevated privileges, e.g. root builds some + packages, and another user successfully exploits this + vulnerability to write to a system file.</p> + </body> + </description> + <references> + <url>http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405</url> + <url>http://www.securityfocus.com/archive/1/352333</url> + </references> + <dates> + <discovery>2004/01/30</discovery> + <entry>2004/02/13</entry> + </dates> + </vuln> + <vuln vid="0e154a9c-5d7a-11d8-80e3-0020ed76ef5a"> <topic>seti@home remotely exploitable buffer overflow</topic> <affects> @@ -409,7 +444,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. <affects> <package> <name>XFree86-Server</name> - <range><le>4.3.0_13</le></range> + <range><le>4.3.0_14</le></range> <range><ge>4.3.99</ge><le>4.3.99.15_1</le></range> </package> </affects> |