Bug 95900 - (CVE-2005-0990) VUL-0: CVE-2005-0990: sharutils tmp race
(CVE-2005-0990)
VUL-0: CVE-2005-0990: sharutils tmp race
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2005-0990: CVSS v2 Base Score: 2....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-11 07:18 UTC by Ludwig Nussel
Modified: 2021-11-04 16:23 UTC (History)
0 users

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-07-11 07:18:47 UTC
We received the following report via full-disclosure.
The issue is public.

Just to get the CAN into bugzilla. Fixed for 10.0 already du to upstream fix.

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated sharutils package fixes security issue
Advisory ID:       FLSA:154991
Issue date:        2005-07-10
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CAN-2005-0990
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated packages for sharutils which fix a security vulnerability are
now available.

The sharutils package contains a set of tools for encoding and decoding
packages of files in binary or text format.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way unshar creates temporary files. A local user
could use symlinks to overwrite arbitrary files the victim running
unshar has write access to. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-0990 to this
issue.

All users of sharutils should upgrade to these packages, which resolve
this issue.
Comment 1 Ludwig Nussel 2005-07-11 07:19:49 UTC
fixed 
Comment 2 Thomas Biege 2009-10-13 21:32:33 UTC
CVE-2005-0990: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)