LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

rpmdevtools: symlink attack

Package(s):rpmdevtools CVE #(s):CVE-2012-3500
Created:September 12, 2012 Updated:April 10, 2013
Description: From the Red Hat bugzilla:

A TOCTOU race condition was found in the way 'annotate-output' (used to execute a program annotating the output linewise with time and stream) tool of rpmdevtools, a suite of scripts and (X)Emacs support files to aid in development of RPM packages, performed management of its temporary files used for standard output and standard error output. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability in an unauthorized way to alter files belonging to the user running the 'annotate-output' tool.

Alerts:
Fedora FEDORA-2012-13234 2012-09-12
Fedora FEDORA-2012-13263 2012-09-12
Debian DSA-2549-1 2012-09-15
Ubuntu USN-1593-1 2012-10-02
Mageia MGASA-2012-0316 2012-10-29
openSUSE openSUSE-SU-2012:1437-1 2012-11-05
Mandriva MDVSA-2013:123 2013-04-10
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds