CVE-2005-0017
CVSS2.1
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:45:06
NMCOPS    

[原文]The f2c translator in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files.


[CNNVD]F2C多个本地不安全临时文件创建漏洞(CNNVD-200505-732)

        f2c 包3.1中的f2c翻译器使得本地用户可以通过对临时文件的symlink攻击来读取任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0017
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0017
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-732
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2005/dsa-661
(PATCH)  DEBIAN  DSA-661
http://www.gentoo.org/security/en/glsa/glsa-200501-43.xml
(UNKNOWN)  GENTOO  GLSA-200501-43
http://www.securityfocus.com/bid/12380
(UNKNOWN)  BID  12380
http://securitytracker.com/id?1013028
(UNKNOWN)  SECTRACK  1013028
http://secunia.com/advisories/14067
(UNKNOWN)  SECUNIA  14067
http://secunia.com/advisories/14052
(UNKNOWN)  SECUNIA  14052
http://secunia.com/advisories/14041
(UNKNOWN)  SECUNIA  14041

- 漏洞信息

F2C多个本地不安全临时文件创建漏洞
低危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        f2c 包3.1中的f2c翻译器使得本地用户可以通过对临时文件的symlink攻击来读取任意文件。

- 公告与补丁

        暂无数据

- 漏洞信息 (F35935)

dsa-661.txt (PacketStormID:F35935)
2005-01-28 00:00:00
 
advisory
linux,debian
CVE-2005-0017,CVE-2005-0018
[点击下载]

Debian Security Advisory 661-1 - The Debian Security Audit project discovered that f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 661-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January 27th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : f2c
Vulnerability  : insecure temporary files
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-0017 CAN-2005-0018

Javier Fern    

- 漏洞信息

13231
f2c Translator Multiple File Insecure Temporary File Handling

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-01-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

F2C Multiple Local Insecure Temporary File Creation Vulnerabilities
Design Error 12380
No Yes
2005-01-27 12:00:00 2009-07-12 10:06:00
Javier Fernández-Sanguino Peña is credited with the discovery of this issue.

- 受影响的程序版本

f2c Fortran 77 Translator 1.3.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0

- 漏洞讨论

Multiple local insecure temporary file creation vulnerabilities affect f2c. These issues are due to a design error causing failure of the application to write to temporary files securely.

An attacker may leverage these issues to corrupt arbitrary files with the privileges of an unsuspecting user that executes the affected applications.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Debian Linux has released advisory DSA 661-1 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Gentoo has released advisory GLSA 200501-43 to address these issues. Gentoo users may carry out the following commands to update their computers:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-lang/f2c-20030320-r1"

Please see the referenced Gentoo advisory for more information.

Debian has released a new advisory DSA 661-2 to address problems with the original fixes. The fixes did not properly correct the issue. Please see the referenced advisory for links to new fixes.


f2c Fortran 77 Translator 1.3.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站