[CVE-2008-4406/4407] - Sabre - local users to cause a denial of service andlocal users to delete or overwrite arbitrary files via a symlink attack
Bug #283446 reported by
Stefan Lesicnik
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sabre (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Fix Released
|
Undecided
|
Stefan Lesicnik | ||
Gutsy |
Fix Released
|
Undecided
|
Stefan Lesicnik | ||
Hardy |
Fix Released
|
Undecided
|
Stefan Lesicnik | ||
Intrepid |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: sabre
A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b
allows local users to delete or overwrite arbitrary files via a symlink
attack on unspecified .tmp files.
http://
XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create
/tmp/sabre.log, which allows local users to cause a denial of service
(application unavailability) by creating a /tmp/sabre.log file that cannot
be overwritten.
Changed in sabre: | |
status: | New → Fix Released |
assignee: | nobody → stefanlsd |
status: | New → In Progress |
assignee: | nobody → stefanlsd |
status: | New → In Progress |
assignee: | nobody → stefanlsd |
status: | New → In Progress |
Changed in sabre: | |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
Changed in sabre: | |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Two separate CVE issues exist both with regards to the creation of .tmp files.
The first is a local users denial of service, where one user starts the application and the file is created and not removed. Subsequent different users cannot start the application as this file exists and cannot be removed.
The second is a symlink attack to possibly delete or overwrite arbitrary files.
cat /etc/fstab
##UNCONFIGURED BASE SYSTEM
ln -s /etc/fstab /tmp/sabre.log
cat /etc/fstab
Not running in a graphics capable console,
and unable to find one.
The upstream provided patch uses mktemp to generate random temporary files.