|Summary:||app-forensics/rkhunter Insecure temp file creation|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen 2005-04-21 22:50:00 UTC
The supplied check_update.sh script creates temporary files insecurely: /tmp/rkhunter.upd.gz /tmp/rkhunter.upd At least the first one is easy to exploit. It is executed when rkhunter --update is called. Auditors please verify my findings.
Comment 1 Tavis Ormandy (RETIRED) 2005-04-22 02:28:38 UTC
Confirmed, there are more in rkhunter: /tmp/procmail.txt /tmp/proftpd.txt /tmp/openssh.txt these are UUoC as well, i suppose author didnt know 2>&1 :)
Comment 2 Sune Kloppenborg Jeppesen 2005-04-22 05:58:43 UTC
Comment 3 Sune Kloppenborg Jeppesen 2005-04-22 10:21:12 UTC
Upstream responded that he will look into it. upstream CC'ed.
Comment 4 Tavis Ormandy (RETIRED) 2005-04-25 09:54:52 UTC
Created attachment 57197 [details, diff] suggested fix
Comment 5 Aaron Walker (RETIRED) 2005-04-25 10:22:40 UTC
Looks good here. 1.2.3-r1 is in CVS pending new upstream release. CC'd archs please mark stable.
Comment 6 Thierry Carrez (RETIRED) 2005-04-25 11:52:02 UTC
Opening the bug since the fix is incvs now
Comment 7 Gustavo Zacarias (RETIRED) 2005-04-25 11:59:11 UTC
Comment 8 Jan Brinkmann (RETIRED) 2005-04-25 12:05:22 UTC
stable on amd64
Comment 9 Michael Hanselmann (hansmi) (RETIRED) 2005-04-25 12:39:31 UTC
Stable on ppc.
Comment 10 Aaron Walker (RETIRED) 2005-04-26 04:46:32 UTC
New upstream release is out, but still vulnerable (none of the suggested fixes were applied). A patched 1.2.4 is in CVS.
Comment 11 Aaron Walker (RETIRED) 2005-04-26 04:48:50 UTC
Looks like alpha stabled but never commented on the bug. This one's ready to go.
Comment 12 Sune Kloppenborg Jeppesen 2005-04-26 12:31:28 UTC