Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 246015 (CVE-2008-4968) - app-benchmarks/lmbench<=3 symlink attacks (CVE-2008-4968)
Summary: app-benchmarks/lmbench<=3 symlink attacks (CVE-2008-4968)
Status: RESOLVED FIXED
Alias: CVE-2008-4968
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-11-07 22:13 UTC by Stefan Behte (RETIRED)
Modified: 2009-09-09 13:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 22:13:42 UTC 
CVE-2008-4968 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4968):
  The (1) rccs and (2) STUFF scripts in lmbench 3.0-a7 allow local
  users to overwrite arbitrary files via a symlink attack on a
  /tmp/sdiff.##### temporary file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 22:16:08 UTC 
Confirmed for our in-tree version.
http://dev.gentoo.org/~rbu/security/debiantemp/lmbench
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 16:25:58 UTC 
*ping*
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-08 22:57:29 UTC 
Larry wrote:

I would close that out as a silly bug.  You shouldn't be running
lmbench as root.

[...]

If you (or anyone) wants to submit a patch I'm happy to review and
apply it.  lmbench is open source, that's the whole point.  I'm
busy with my day job, when I don't have that problem maybe I'll 
be more interested in silly security reports.

[...]
Comment 4 Daniel Black (RETIRED) gentoo-dev 2009-02-07 07:15:07 UTC 
a closer look at all /tmp  usage shows there are more possibilities than listed here. In light of the almost dead upstream I'm in favour of a purge of the package. Alternate packages exist in the app-benchmarks category.

Objections anyone (last rites email coming soon)?
Comment 5 Daniel Black (RETIRED) gentoo-dev 2009-04-29 00:53:43 UTC 
package removed. (dev-announce was sent 2009-02-07)
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-07 18:22:04 UTC 
We need to vote: I vote YES.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:54:26 UTC 
YES, filed.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:35:20 UTC 
GLSA 200909-10