发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:45:06

[原文]The f2c translator in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files.


        f2c 包3.1中的f2c翻译器使得本地用户可以通过对临时文件的symlink攻击来读取任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  12380

- 漏洞信息

低危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
        f2c 包3.1中的f2c翻译器使得本地用户可以通过对临时文件的symlink攻击来读取任意文件。

- 公告与补丁


- 漏洞信息 (F35935)

dsa-661.txt (PacketStormID:F35935)
2005-01-28 00:00:00

Debian Security Advisory 661-1 - The Debian Security Audit project discovered that f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 661-1                                        Martin Schulze
January 27th, 2005            
- --------------------------------------------------------------------------

Package        : f2c
Vulnerability  : insecure temporary files
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-0017 CAN-2005-0018

Javier Fern    

- 漏洞信息

f2c Translator Multiple File Insecure Temporary File Handling

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-01-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

F2C Multiple Local Insecure Temporary File Creation Vulnerabilities
Design Error 12380
No Yes
2005-01-27 12:00:00 2009-07-12 10:06:00
Javier Fernández-Sanguino Peña is credited with the discovery of this issue.

- 受影响的程序版本

f2c Fortran 77 Translator 1.3.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0

- 漏洞讨论

Multiple local insecure temporary file creation vulnerabilities affect f2c. These issues are due to a design error causing failure of the application to write to temporary files securely.

An attacker may leverage these issues to corrupt arbitrary files with the privileges of an unsuspecting user that executes the affected applications.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Debian Linux has released advisory DSA 661-1 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Gentoo has released advisory GLSA 200501-43 to address these issues. Gentoo users may carry out the following commands to update their computers:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-lang/f2c-20030320-r1"

Please see the referenced Gentoo advisory for more information.

Debian has released a new advisory DSA 661-2 to address problems with the original fixes. The fixes did not properly correct the issue. Please see the referenced advisory for links to new fixes.

f2c Fortran 77 Translator 1.3.1

- 相关参考