Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251319 (CVE-2008-5374) - <app-shells/bash-4.1_p7 aliasconv symlink attack (CVE-2008-5374)
Summary: <app-shells/bash-4.1_p7 aliasconv symlink attack (CVE-2008-5374)
Status: RESOLVED FIXED
Alias: CVE-2008-5374
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://dev.gentoo.org/~rbu/security/d...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-17 16:01 UTC by Robert Buchholz (RETIRED)
Modified: 2012-10-20 01:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:01:01 UTC
CVE-2008-5374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5374):
  bash-doc 3.2 allows local users to overwrite arbitrary files via a
  symlink attack on a /tmp/cb#####.? temporary file, related to the (1)
  aliasconv.sh, (2) aliasconv.bash, and (3) cshtobash scripts.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:26:14 UTC
I tested =app-shells/bash-3.2_p48 with USE=examples, and it installs these files:

./usr/share/doc/bash-3.2_p48/examples/misc/aliasconv.bash
./usr/share/doc/bash-3.2_p48/examples/misc/aliasconv.sh
./usr/share/doc/bash-3.2_p48/examples/misc/cshtobash
Comment 2 SpanKY gentoo-dev 2008-12-26 09:10:38 UTC
unless i'm mistaken, this is only an issue when USE=examples, and if the person actually takes the example code and starts using it themselves.  in other words, the affected scope is quite minor ...

we can just `rm` the files for now ...
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-26 20:59:38 UTC
(In reply to comment #2)
> unless i'm mistaken, this is only an issue when USE=examples, and if the person
> actually takes the example code and starts using it themselves.  in other
> words, the affected scope is quite minor ...

Indeed and it only affects ~arch ebuilds. I'd be in favor of tracking this issue upstream, bumping as they do and use this bug as a blocker for stabilization of the >=3.2_p39 ebuilds.
Comment 4 SpanKY gentoo-dev 2008-12-29 22:39:45 UTC
or we can just disable USE=examples when moving to stable.  but otherwise, that sounds good to me.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-31 08:36:26 UTC
Indeed I can confirm =bash-3.2_p51 (still in the tree) is affected by this issue with USE="examples".

Now it gets more interesting because =bash-4.0_p37 (old stable) is also affected. =bash-4.0_p38 is affected.

>=bash-4.1 is not affected.

The choices I see are:

- remove vulnerable ebuilds from the tree
- mask the "examples" USE flag for vulnerable versions
- remove the "examples" USE flag for vulnerable versions
- patch the vulnerable versions to use mktemp instead
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-04 22:57:52 UTC
Looks like 4.1_p7 was the first unaffected, stable version.

=app-shells/bash-3.1_p17 is the only vulnerable version left to be cleaned. 

Adding to existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-10-20 01:02:39 UTC
This issue was resolved and addressed in
 GLSA 201210-05 at http://security.gentoo.org/glsa/glsa-201210-05.xml
by GLSA coordinator Sean Amoss (ackle).