Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2012 11:22:18 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Thomas Woerner <twoerner@...hat.com>, Jim Meyering <meyering@...hat.com>,
        Ville Skyttä <ville.skytta@....fi>
Subject: [Notification] CVE-2012-3500 - rpmdevtools, devscripts: TOCTOU race
 condition in annotate-output

Hello vendors,

  please see a report about CVE-2012-3500 rpmdevtools /
devscripts issue below.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

-------------------------------------------------------
Summary: rpmdevtools, devscripts: TOCTOU race condition in annotate-output

Description:
A TOCTOU race condition was found in the way 'annotate-output'
(used to execute a program annotating the output linewise with
time and stream) tool of rpmdevtools, a suite of scripts and
(X)Emacs support files to aid in development of RPM packages,
performed management of its temporary files used for standard
output and standard error output. A local attacker could use
this flaw to conduct symbolic link attacks, possibly leading
to their ability in an unauthorized way to alter files belonging
to the user running the 'annotate-output' tool.

CVE id: CVE-2012-3500

Credit: Issue found by Jim Meyering of Red Hat

Proposed patch:
  https://bugzilla.redhat.com/show_bug.cgi?id=848022#c2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ