Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2012 11:22:18 -0400 (EDT)
From: Jan Lieskovsky <>
Cc: Thomas Woerner <>, Jim Meyering <>,
        Ville Skyttä <>
Subject: [Notification] CVE-2012-3500 - rpmdevtools, devscripts: TOCTOU race
 condition in annotate-output

Hello vendors,

  please see a report about CVE-2012-3500 rpmdevtools /
devscripts issue below.

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Summary: rpmdevtools, devscripts: TOCTOU race condition in annotate-output

A TOCTOU race condition was found in the way 'annotate-output'
(used to execute a program annotating the output linewise with
time and stream) tool of rpmdevtools, a suite of scripts and
(X)Emacs support files to aid in development of RPM packages,
performed management of its temporary files used for standard
output and standard error output. A local attacker could use
this flaw to conduct symbolic link attacks, possibly leading
to their ability in an unauthorized way to alter files belonging
to the user running the 'annotate-output' tool.

CVE id: CVE-2012-3500

Credit: Issue found by Jim Meyering of Red Hat

Proposed patch:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.