Bug 50103 (CVE-2004-0108)

Summary: VUL-0: CVE-2004-0108: sysstat: insecure tmp file handling
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Tomas Crhak <tcrhak>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0108: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: sysstat-5.0.1-mktemp.patch
patchinfo.sysstat
patchinfo-box.sysstat
mail
mail attachement

Description Thomas Biege 2004-02-26 22:15:16 UTC 
Hi, 
the following was posted on vendor-sec. 
---------- Forwarded message ---------- 
Date: Tue, 24 Feb 2004 12:27:52 +0000 (GMT) 
From: Mark J Cox <mjc@redhat.com> 
To: vendor-sec@lst.de 
Subject: [vendor-sec] CAN-2004-0108 sysstat (isag) vulnerability 
 
Alan Cox was looking at our sysstat packages and noticed that the version 
of isag included with sysstat contains a minor temporary file 
vulnerability.  We've allocated CVE name CAN-2004-0108 to this issue. 
I've included the patch written by Nils Philippsen against 5.0.1. 
 
I've informed the sysstat and isag upstream vendors and suggested that we 
embargo this issue until 1400UTC on March 10th. 
 
We also found that our own sysstat rpms contained another vulnerability in 
our post/trigger scripts.  This isn't a flaw in the upstream sysstat 
packages;  we will correct this at the same time (let me know if anyone 
here shipping rpm updates has the same issue). 
 
Thanks, Mark 
-- 
Mark J Cox / Red Hat Security Response Team
Comment 1 Thomas Biege 2004-02-26 22:15:16 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-02-26 22:16:58 UTC 
Created attachment 16218 [details]
sysstat-5.0.1-mktemp.patch
Comment 3 Thomas Biege 2004-02-26 22:26:28 UTC 
Created attachment 16221 [details]
patchinfo.sysstat
Comment 4 Thomas Biege 2004-02-26 22:28:14 UTC 
Created attachment 16222 [details]
patchinfo-box.sysstat
Comment 5 Thomas Biege 2004-03-03 16:11:32 UTC 
Created attachment 16316 [details]
mail
Comment 6 Thomas Biege 2004-03-03 16:12:26 UTC 
Created attachment 16317 [details]
mail attachement
Comment 7 Tomas Crhak 2004-03-09 02:38:28 UTC 
fixed except for stable (I'll do this ASAP)
Comment 8 Thomas Biege 2004-03-09 19:30:00 UTC 
Ok, 
please reassign to me if you are done.
Comment 9 Andreas Jaeger 2004-03-28 21:51:31 UTC 
Is this fixed for STABLE now?
Comment 10 Tomas Crhak 2004-03-30 20:52:07 UTC 
submitted together with another fix
Comment 11 Roman Drahtmueller 2004-04-06 01:36:09 UTC 
*** Bug 53411 has been marked as a duplicate of this bug. ***
Comment 12 Thomas Biege 2004-04-06 02:34:02 UTC 
packages approved a few minutes ago.
Comment 13 Thomas Biege 2009-10-13 20:15:37 UTC 
CVE-2004-0108: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)