The supplied check_update.sh script creates temporary files insecurely: /tmp/rkhunter.upd.gz /tmp/rkhunter.upd At least the first one is easy to exploit. It is executed when rkhunter --update is called. Auditors please verify my findings.
Confirmed, there are more in rkhunter: /tmp/procmail.txt /tmp/proftpd.txt /tmp/openssh.txt these are UUoC as well, i suppose author didnt know 2>&1 :)
Upstream notified.
Upstream responded that he will look into it. upstream CC'ed.
Created attachment 57197 [details, diff] suggested fix
Looks good here. 1.2.3-r1 is in CVS pending new upstream release. CC'd archs please mark stable.
Opening the bug since the fix is incvs now
sparc stable.
stable on amd64
Stable on ppc.
New upstream release is out, but still vulnerable (none of the suggested fixes were applied). A patched 1.2.4 is in CVS.
Looks like alpha stabled but never commented on the bug. This one's ready to go.
GLSA 200504-25