CVE-2008-5155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5155): mail2sms.sh in smsclient 2.0.8z allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/header.##### or (2) /tmp/body.##### temporary file, or append data to arbitrary files via a symlink attack on the (3) /tmp/sms.log temporary file.
Not yet verified, sorry.
OK, we're vulnerable: # grep "/tmp/" ./contrib/mail2sms-shell/mail2sms.sh /usr/bin/cp /dev/null /tmp/header.$$ echo "$LINE" >> /tmp/header.$$ SENDER=`head -n 1 /tmp/header.$$ | awk '{print $2}'` TARGET=`grep ^Subject: /tmp/header.$$ | awk '{print $2}'` echo "$LINE" >> /tmp/body.$$ MSG=`cat /tmp/body.$$` /usr/bin/sms_client $TARGET "$MSG" >> /tmp/sms.log rm /tmp/header.$$ rm /tmp/body.$$
mail2sms is not installed by smsclient. Craig, for avoiding further noise about this issue, please check if those scripts you find to be vulnerable are also present in the ${D} directory. Closed as INVALID.
Sorry, as my current machine is a bit slow I just unpacked and missed it. :(
