| Summary: |
VUL-0: CVE-2005-0990: sharutils tmp race |
| Product: |
[Novell Products] SUSE Security Incidents
|
Reporter: |
Ludwig Nussel <lnussel> |
| Component: |
Incidents | Assignee: |
Security Team bot <security-team> |
| Status: |
RESOLVED
FIXED
|
QA Contact: |
Security Team bot <security-team> |
| Severity: |
Normal
|
|
|
| Priority: |
P5 - None
|
|
|
| Version: |
unspecified | |
|
| Target Milestone: |
--- | |
|
| Hardware: |
Other | |
|
| OS: |
All | |
|
| Whiteboard: |
CVE-2005-0990: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N) |
|
Found By:
|
Other
|
Services Priority:
|
|
|---|
|
Business Priority:
|
|
Blocker:
|
---
|
|---|
|
Marketing QA Status:
|
---
|
IT Deployment:
|
---
|
|---|
We received the following report via full-disclosure. The issue is public. Just to get the CAN into bugzilla. Fixed for 10.0 already du to upstream fix. --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated sharutils package fixes security issue Advisory ID: FLSA:154991 Issue date: 2005-07-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0990 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated packages for sharutils which fix a security vulnerability are now available. The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way unshar creates temporary files. A local user could use symlinks to overwrite arbitrary files the victim running unshar has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0990 to this issue. All users of sharutils should upgrade to these packages, which resolve this issue.