Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2012 11:22:18 -0400 (EDT)
From: Jan Lieskovsky <>
Cc: Thomas Woerner <>, Jim Meyering <>,
        Ville Skyttä <>
Subject: [Notification] CVE-2012-3500 - rpmdevtools, devscripts: TOCTOU race
 condition in annotate-output

Hello vendors,

  please see a report about CVE-2012-3500 rpmdevtools /
devscripts issue below.

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Summary: rpmdevtools, devscripts: TOCTOU race condition in annotate-output

A TOCTOU race condition was found in the way 'annotate-output'
(used to execute a program annotating the output linewise with
time and stream) tool of rpmdevtools, a suite of scripts and
(X)Emacs support files to aid in development of RPM packages,
performed management of its temporary files used for standard
output and standard error output. A local attacker could use
this flaw to conduct symbolic link attacks, possibly leading
to their ability in an unauthorized way to alter files belonging
to the user running the 'annotate-output' tool.

CVE id: CVE-2012-3500

Credit: Issue found by Jim Meyering of Red Hat

Proposed patch:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ