[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] insecure tmpfile creation in scrollkeeper



Topic
=====
scrollkeeper creates tmpfiles insecurely

Problem Description
===================
ScrollKeeper is a cataloging system for documentation. All versions of
ScrollKeeper between 0.3 and 0.3.11 have a tempfile vulnerability.

The scrollkeeper-get-cl command generates temporary files in the /tmp
directory.  These files are named scrollkeeper-tempfile.[0-4], and while
creating these files scrollkeeper-get-cl follows symbolic links. These
files are created when a user logs in to a GNOME session and are created as
the user who logged in. This means an attacker with local access can easily
create and overwrite files as another user.

Affected Systems
================
scrollkeeper versions between 0.3 and 0.3.11 (both included)

Solution
========
upgrade to a patched version for your distribution

RedHat 7.3
----------
rpm -Fvh scrollkeeper-0.3.4-5.i386.rpm

Debian 3.0 (woody)
------------------
upgrade to scrollkeeper_0.3.6-3.1_i386.deb,
           libscrollkeeper0_0.3.6-3.1_i386.deb,
           libscrollkeeper-dev_0.3.6-3.1_i386.deb