Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 152810

Summary: CAN-2004-0966 GNU gettext Insecure Temporary File Creation Vulnerability
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mattdm, pekkas, simon
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/12774/
Whiteboard: LEGACY
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Lawrence 2005-03-30 23:28:15 UTC
A vulnerability has been reported in gettext, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The vulnerability is caused due to temporary files being created insecurely.
This can be exploited via symlink attacks to overwrite or create arbitrary files
with the privileges of the user running gettext.

advisories:
http://secunia.com/advisories/12774/
http://secunia.com/advisories/12775/
http://www.gentoo.org/security/en/glsa/glsa-200410-10.xml

Bugzilla:
(Gentoo) http://bugs.gentoo.org/show_bug.cgi?id=66355



------- Additional Comments From simon@nzservers.com 2004-10-14 09:41:19 ----

I don't think 7.3 is vulnerable to this. The two patches provided on the 
gentoo bugzilla don't even remotely match any of the code in gettest-0.11.1. 
The first patch for misc/autopoint.in references a file introduced in a later 
version. The second patch fixes a routine that sets the PATH_SEPARATOR. This 
routine doesn't appear to exist in this version. 
 
- Si 



------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-05 05:51:20 ----

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0966

Red Hat Buzgilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323



------- Additional Comments From pekkas@netcore.fi 2004-12-20 10:57:13 ----

From Red Hat's bugzilla, Mark Cox said:

"Temporary file vulnerability in autopoint, gettextize scripts.  Patch
attached.  These issues don't affect the scripts shipped with gettext
in RHEL2.1, RHEL3."

This is not definitive -- RHL9 version might bear checking against RHEL3, but if
this is true, is FC1 the only affected platform (if even that is) ?




------- Additional Comments From pekkas@netcore.fi 2005-02-15 06:43:54 ----

According to the advisory, only 1.14 and up are affected.  RHL73, RHL9 and FC1
are all older than this so closing (I hope this is the right resolution).



------- Additional Comments From dom@earth.li 2005-02-15 13:52:11 ----

Which advisory? Had a quick scan through and couldn't find anything definitive.



------- Additional Comments From pekkas@netcore.fi 2005-02-15 19:24:58 ----

In the CVE, it says:

"The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14
and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other
operating systems, allows local users to overwrite files via a symlink attack on
temporary files."

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 also gives hints
towards that direction.





------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2151 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2151
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Matthew Miller 2005-04-12 05:15:24 UTC
Note that bug #136323 for FC2 (apparently impacted) is still open.