Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 90007

Summary: app-forensics/rkhunter Insecure temp file creation
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: ka0ttic, michael
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---
Description Flags
suggested fix none

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-04-21 22:50:00 UTC
The supplied script creates temporary files insecurely: 


At least the first one is easy to exploit.

It is executed when rkhunter --update is called.

Auditors please verify my findings.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-22 02:28:38 UTC
Confirmed, there are more in rkhunter:


these are UUoC as well, i suppose author didnt know 2>&1 :)
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-22 05:58:43 UTC
Upstream notified.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-22 10:21:12 UTC
Upstream responded that he will look into it.

upstream CC'ed.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-25 09:54:52 UTC
Created attachment 57197 [details, diff]
suggested fix
Comment 5 Aaron Walker (RETIRED) gentoo-dev 2005-04-25 10:22:40 UTC
Looks good here.  1.2.3-r1 is in CVS pending new upstream release.  CC'd archs please mark stable.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-25 11:52:02 UTC
Opening the bug since the fix is incvs now
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-25 11:59:11 UTC
sparc stable.
Comment 8 Jan Brinkmann (RETIRED) gentoo-dev 2005-04-25 12:05:22 UTC
stable on amd64
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-25 12:39:31 UTC
Stable on ppc.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-04-26 04:46:32 UTC
New upstream release is out, but still vulnerable (none of the suggested fixes were applied).  A patched 1.2.4 is in CVS.
Comment 11 Aaron Walker (RETIRED) gentoo-dev 2005-04-26 04:48:50 UTC
Looks like alpha stabled but never commented on the bug.  This one's ready to go.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-26 12:31:28 UTC
GLSA 200504-25