Bugzilla – Bug 48161
VUL-0: CVE-2003-0887: ez-ipupdate: tmp vulnerability
Last modified: 2021-09-29 14:39:41 UTC
Hi, the following was posted to vendor-sec. Please, make the changes in our STABLE tree. Thank you! :)
<!-- SBZ_reproduce --> Date: Sat, 15 Nov 2003 12:41:41 +0100 From: Arjan van de Ven <arjanv@redhat.com> To: vendor-sec@lst.de Subject: [vendor-sec] ez-ipupdate package Parts/Attachments: 1 Shown ~16 lines Text 2 196 bytes Application, "This is a digitally signed message part" ---------------------------------------- Hi, The ez-ipupdate package by default comes with a set of example config files that put a fixed filename in /tmp while the binary that handles the file does nothing to even remotely do that safely. It seems that SUSE and Mandrake both ship this package. I've changed the location of the cache file to default to /var/cache/ez-ipupdate; I would suggest that anyone who ships this also changes the default locations in the configs to be not-in-/tmp. Greetings, Arjan van de Ven
btw the default conf file in /etc has cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache.ppp0 and /var/lib/ez-ipupdate is not world writeable. i patched the example configs.
CAN-2003-0887. I hope RH doesn't want to make a full blown update because of it...
CVE-2003-0887: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)