LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

rpmdevtools: symlink attack

Package(s):rpmdevtools CVE #(s):CVE-2012-3500
Created:September 12, 2012 Updated:April 10, 2013
Description: From the Red Hat bugzilla:

A TOCTOU race condition was found in the way 'annotate-output' (used to execute a program annotating the output linewise with time and stream) tool of rpmdevtools, a suite of scripts and (X)Emacs support files to aid in development of RPM packages, performed management of its temporary files used for standard output and standard error output. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability in an unauthorized way to alter files belonging to the user running the 'annotate-output' tool.

Alerts:
Fedora FEDORA-2012-13234 2012-09-12
Fedora FEDORA-2012-13263 2012-09-12
Debian DSA-2549-1 2012-09-15
Ubuntu USN-1593-1 2012-10-02
Mageia MGASA-2012-0316 2012-10-29
openSUSE openSUSE-SU-2012:1437-1 2012-11-05
Mandriva MDVSA-2013:123 2013-04-10
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds