CVE-2012-3500
Published: 3 September 2012
scripts/annotate-output.sh in devscripts before 2.12.2, as used in rpmdevtools before 8.3, allows local users to modify arbitrary files via a symlink attack on the temporary (1) standard output or (2) standard error output file.
Notes
Author | Note |
---|---|
tyhicks | If TMPDIR is not changed, mitigated by yama in Natty and newer |
Priority
Status
Package | Release | Status |
---|---|---|
devscripts Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(2.10.61ubuntu5.3)
|
|
natty |
Released
(2.10.69ubuntu2.2)
|
|
oneiric |
Released
(2.11.1ubuntu3.2)
|
|
precise |
Released
(2.11.6ubuntu1.4)
|
|
upstream |
Released
(2.12.2)
|
|
Patches: upstream: https://bugzilla.redhat.com/attachment.cgi?id=604260&action=diff vendor: http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commit;h=1bbe2163987c53064a4cd57712927f4b06c01032 vendor: http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commit;h=4d23a5e6c90f7a37b0972b30f5d31dce97a93eb0 |