Bug 50103 - (CVE-2004-0108) VUL-0: CVE-2004-0108: sysstat: insecure tmp file handling
(CVE-2004-0108)
VUL-0: CVE-2004-0108: sysstat: insecure tmp file handling
Status: RESOLVED FIXED
: 53411 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Tomas Crhak
Security Team bot
CVE-2004-0108: CVSS v2 Base Score: 4....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-26 22:15 UTC by Thomas Biege
Modified: 2021-10-11 13:54 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
sysstat-5.0.1-mktemp.patch (657 bytes, patch)
2004-02-26 22:16 UTC, Thomas Biege
Details | Diff
patchinfo.sysstat (349 bytes, text/plain)
2004-02-26 22:26 UTC, Thomas Biege
Details
patchinfo-box.sysstat (346 bytes, text/plain)
2004-02-26 22:28 UTC, Thomas Biege
Details
mail (40.63 KB, text/plain)
2004-03-03 16:11 UTC, Thomas Biege
Details
mail attachement (39.81 KB, application/x-shellscript)
2004-03-03 16:12 UTC, Thomas Biege
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-02-26 22:15:16 UTC
Hi, 
the following was posted on vendor-sec. 
---------- Forwarded message ---------- 
Date: Tue, 24 Feb 2004 12:27:52 +0000 (GMT) 
From: Mark J Cox <mjc@redhat.com> 
To: vendor-sec@lst.de 
Subject: [vendor-sec] CAN-2004-0108 sysstat (isag) vulnerability 
 
Alan Cox was looking at our sysstat packages and noticed that the version 
of isag included with sysstat contains a minor temporary file 
vulnerability.  We've allocated CVE name CAN-2004-0108 to this issue. 
I've included the patch written by Nils Philippsen against 5.0.1. 
 
I've informed the sysstat and isag upstream vendors and suggested that we 
embargo this issue until 1400UTC on March 10th. 
 
We also found that our own sysstat rpms contained another vulnerability in 
our post/trigger scripts.  This isn't a flaw in the upstream sysstat 
packages;  we will correct this at the same time (let me know if anyone 
here shipping rpm updates has the same issue). 
 
Thanks, Mark 
-- 
Mark J Cox / Red Hat Security Response Team
Comment 1 Thomas Biege 2004-02-26 22:15:16 UTC
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-02-26 22:16:58 UTC
Created attachment 16218 [details]
sysstat-5.0.1-mktemp.patch
Comment 3 Thomas Biege 2004-02-26 22:26:28 UTC
Created attachment 16221 [details]
patchinfo.sysstat
Comment 4 Thomas Biege 2004-02-26 22:28:14 UTC
Created attachment 16222 [details]
patchinfo-box.sysstat
Comment 5 Thomas Biege 2004-03-03 16:11:32 UTC
Created attachment 16316 [details]
mail
Comment 6 Thomas Biege 2004-03-03 16:12:26 UTC
Created attachment 16317 [details]
mail attachement
Comment 7 Tomas Crhak 2004-03-09 02:38:28 UTC
fixed except for stable (I'll do this ASAP)
Comment 8 Thomas Biege 2004-03-09 19:30:00 UTC
Ok, 
please reassign to me if you are done. 
Comment 9 Andreas Jaeger 2004-03-28 21:51:31 UTC
Is this fixed for STABLE now?
Comment 10 Tomas Crhak 2004-03-30 20:52:07 UTC
submitted together with another fix
Comment 11 Roman Drahtmueller 2004-04-06 01:36:09 UTC
*** Bug 53411 has been marked as a duplicate of this bug. ***
Comment 12 Thomas Biege 2004-04-06 02:34:02 UTC
packages approved a few minutes ago. 
Comment 13 Thomas Biege 2009-10-13 20:15:37 UTC
CVE-2004-0108: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)