/usr/bin/getweb is vulnerable to "Insecure temporary file creation" weaknesses
Bug #805370 reported by
David
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
foo2zjs (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
/usr/bin/getweb is vulnerable to "Insecure temporary file creation". [0]
While I don't know if anyone uses the getweb command. The script makes a temporary directory in /tmp called foo2zjs it then may download (depending on user input) one or more gzip and extract them in /tmp/foo2zjs.
However, the script does not check if the folder already exists / the return code of mkdir - so the script could possibly result in the over-writing of files or simply extra junk placed in $random places on the file-system.
[0] - http://
[1] line 488
"
mkdir -p /tmp/foo2zjs
cd /tmp/foo2zjs
"
Related branches
CVE References
summary: |
- /usr/bin/getweb is rather hillarious -- and is vulnerable to "Insecure - temporary file creation" weaknesses + /usr/bin/getweb is vulnerable to "Insecure temporary file creation" + weaknesses |
description: | updated |
visibility: | private → public |
To post a comment you must log in.
CVE requested: http:// www.openwall. com/lists/ oss-security/ 2011/07/ 06/10