CVE-2005-3011
CVSS1.2
发布时间 :2005-09-21 16:03:00
修订时间 :2011-07-25 00:00:00
NMCOPS    

[原文]The sort_offline function for texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files.


[CNNVD]GNU Texinfo 不安全临时文件创建漏洞(CNNVD-200509-194)

        Texinfo 是一个能从单个源文件中生出在线信息和打印输出的文档系统。
        texinfo 4.8及早期版本的texindex的sort_offline功能允许本地用户通过对临时文件的symlink攻击覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-59 [在文件访问前对链接解析不恰当(链接跟随)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10589The sort_offline function for texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on te...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3011
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3011
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-194
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2007/1939
(VENDOR_ADVISORY)  VUPEN  ADV-2007-1939
http://www.vupen.com/english/advisories/2007/1267
(VENDOR_ADVISORY)  VUPEN  ADV-2007-1267
http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
http://www.ubuntu.com/usn/usn-194-1
(UNKNOWN)  UBUNTU  USN-194-1
http://www.securityfocus.com/bid/14854
(UNKNOWN)  BID  14854
http://www.securityfocus.com/archive/1/archive/1/464745/100/0/threaded
(UNKNOWN)  BUGTRAQ  20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates
http://www.redhat.com/support/errata/RHSA-2006-0727.html
(UNKNOWN)  REDHAT  RHSA-2006:0727
http://www.novell.com/linux/security/advisories/2005_23_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:023
http://www.mandriva.com/security/advisories?name=MDKSA-2005:175
(UNKNOWN)  MANDRIVA  MDKSA-2005:175
http://www.gentoo.org/security/en/glsa/glsa-200510-04.xml
(UNKNOWN)  GENTOO  GLSA-200510-04
http://www.debian.org/security/2006/dsa-1219
(UNKNOWN)  DEBIAN  DSA-1219
http://securitytracker.com/id?1015468
(UNKNOWN)  SECTRACK  1015468
http://securitytracker.com/id?1014992
(UNKNOWN)  SECTRACK  1014992
http://secunia.com/advisories/25402
(VENDOR_ADVISORY)  SECUNIA  25402
http://secunia.com/advisories/24788
(VENDOR_ADVISORY)  SECUNIA  24788
http://secunia.com/advisories/23112
(VENDOR_ADVISORY)  SECUNIA  23112
http://secunia.com/advisories/22929
(VENDOR_ADVISORY)  SECUNIA  22929
http://secunia.com/advisories/18401
(VENDOR_ADVISORY)  SECUNIA  18401
http://secunia.com/advisories/17215
(VENDOR_ADVISORY)  SECUNIA  17215
http://secunia.com/advisories/17211
(VENDOR_ADVISORY)  SECUNIA  17211
http://secunia.com/advisories/17093
(VENDOR_ADVISORY)  SECUNIA  17093
http://secunia.com/advisories/17076
(VENDOR_ADVISORY)  SECUNIA  17076
http://secunia.com/advisories/17070
(VENDOR_ADVISORY)  SECUNIA  17070
http://secunia.com/advisories/16816
(VENDOR_ADVISORY)  SECUNIA  16816
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
(UNKNOWN)  TRUSTIX  TSLSA-2005-0059
http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
(UNKNOWN)  APPLE  APPLE-SA-2007-05-24
http://docs.info.apple.com/article.html?artnum=305530
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=305530
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365
(UNKNOWN)  MISC  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365
ftp://patches.sgi.com/support/free/security/advisories/20061101-01-P
(UNKNOWN)  SGI  20061101-01-P
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-06:01

- 漏洞信息

GNU Texinfo 不安全临时文件创建漏洞
低危 设计错误
2005-09-21 00:00:00 2006-06-14 00:00:00
本地  
        Texinfo 是一个能从单个源文件中生出在线信息和打印输出的文档系统。
        texinfo 4.8及早期版本的texindex的sort_offline功能允许本地用户通过对临时文件的symlink攻击覆盖任意文件。

- 公告与补丁

        暂无数据

- 漏洞信息 (F55667)

VMware Security Advisory 2007-0003 (PacketStormID:F55667)
2007-04-05 00:00:00
VMware  vmware.com
advisory
CVE-2005-3011,CVE-2006-4810,CVE-2007-1270,CVE-2007-1271,CVE-2005-2096,CVE-2005-1849,CVE-2003-0107,CVE-2005-1704
[点击下载]

VMware Security Advisory - ESX 3.0.1 and 3.0.0 patches address several security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0003
Synopsis:          VMware ESX 3.0.1 and 3.0.0 server security updates
Issue date:        2007-04-02
Updated on:        2007-04-02
CVE numbers:       CVE-2005-3011 CVE-2006-4810 CVE-2007-1270
                   CVE-2007-1271 CVE-2005-2096 CVE-2005-1849
                   CVE-2003-0107 CVE-2005-1704
- -------------------------------------------------------------------

1. Summary:

ESX 3.0.1 and 3.0.0 patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patches ESX-2559638, ESX-1161870, ESX-3416571,
ESX-5011126, ESX-7737432, ESX-7780490, ESX-8174018, ESX-8852210,
ESX-9617902,
ESX-9916286

VMware ESX 3.0.0 without patches ESX-1121906, ESX-131737, ESX-1870154,
ESX-392718, ESX-4197945, ESX-4921691, ESX-5752668, ESX-7052426, ESX-3616065

3. Problem description:

Problems addressed by these patches:

a.   texinfo service console update

     Updated texinfo packages for the service console fix two security
     vulnerabilities are now available.  A buffer overflow in the the
     program texinfo could allow local user to execute arbitrary code in
     the service console via a crafted texinfo file.  And could allow a
     local user to overwrite arbitrary files via a symlink attack on
     temporary files.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2005-3011 and CVE-2006-4810 to these
     issues.

     ESX 301 Download Patch ESX-2559638
     ESX 300 Download Patch ESX-1121906

b.   This bundle is a group of patches to resolve two possible security
issues.

     They are as follows:
     A VMware internal security audit revealed a double free condition.
     It may be possible for an attacker to influence the operation of
     the system. In most circumstances, this influence will be limited
     to denial of service or information leakage, but it is
     theoretically possible for an attacker to insert arbitrary code
     into a running program. This code would be executed with the
     permissions of the vulnerable program.  There are no known exploits
     for this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1270 to this issue.

     A VMware internal security audit revealed a potential buffer
     overflow condition. There are no known vulnerabilities, but such
     vulnerabilities may be used to elevate privileges or to crash the
     application and thus cause a denial of service.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1271 to this issue.

     The following patches are contained within this bundle:

     ESX 301                      ESX 300
     -------                     --------
     ESX-1161870                  ESX-131737
     ESX-3416571                  ESX-1870154
     ESX-5011126                  ESX-392718
     ESX-7737432                  ESX-4197945
     ESX-7780490                  ESX-4921691
     ESX-8174018                  ESX-5752668
     ESX-8852210                  ESX-7052426
     ESX-9617902                  ESX-9976400

     ESX 301 Download Patch Bundle ESX-6431040
     ESX 300 Download Patch Bundle ESX-5754280

c.   This patch updates internally used zlib libraries in order to
     address potential security issues with older versions of this
     library.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2005-2096, CVE-2005-1849, CVE-2003-0107
     to these issues.

     ESX 301 Download Patch ESX-9916286
     ESX 300 Download Patch ESX-3616065

d.  binutils service console update

     NOTE: This vulnerability and update only apply to ESX 3.0.0.

     A integer overflow in the Binary File Descriptor (BFD) library for
     the GNU Debugger before version 6.3, binutils, elfutils, and
     possibly other packages, allows user-assisted attackers to execute
     arbitrary code via a crafted object file that specifies a large
     number of section headers, leading to a heap-based buffer overflow.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2005-1704 to this issue.

     ESX 300 Download Patch ESX-55052

4. Solution:

Please review the Patch notes for your version of ESX and verify the
md5sum of your downloaded file.

  ESX 3.0.1
  http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
  md5sum 9ee9d9769dfe2668aa6a4be2df284ea6

  http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
  md5sum ef6bc745b3d556e0736fd39b8ddc8087

  http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
  md5sum 7b98cfe1b2e0613c368d4080dcacccb8

  ESX 3.0.0
  http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
  md5sum 8d45e36ec997707ebe68d84841026fef

  http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
  md5sum 02c5bcccea156dd0db93177e5e3fab8b

  http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
  md5sum 90e4face2edaab07080531a37a49ec01

  http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
  md5sum 82b3c7e18dd1422f30c4aa9e477c6a27

5. References:

  ESX 3.0.1

Patch URL:http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
Knowledge base URL:http://kb.vmware.com/kb/2559638
Knowledge base URL:http://kb.vmware.com/kb/6431040
Knowledge base URL:http://kb.vmware.com/kb/9916286

  ESX 3.0.0

Patch URL:http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
Knowledge base URL:http://kb.vmware.com/kb/55052
Knowledge base URL:http://kb.vmware.com/kb/1121906
Knowledge base URL:http://kb.vmware.com/kb/3616065
Knowledge base URL:http://kb.vmware.com/kb/55052


  CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1704

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2007 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGFAiH6KjQhy2pPmkRCDhvAJ9IdzXG4Ino7NGYPnRvW5ZLFMdhRgCgk1Rr
bGpwMyFZk0OMLWyA/L8PODQ=
=MjIU
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F52577)

Debian Linux Security Advisory 1219-1 (PacketStormID:F52577)
2006-11-29 00:00:00
Debian  debian.org
advisory,overflow
linux,debian
CVE-2005-3011,CVE-2006-4810
[点击下载]

Debian Security Advisory 1219-1 - The GNU texinfo package has been found susceptible to insecure file handling and buffer overflow flaws.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1219-1                security@debian.org
http://www.debian.org/security/                         Noah Meyerhans
November 27, 2006
- ------------------------------------------------------------------------

Package        : texinfo
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2005-3011 CVE-2006-4810
BugTraq ID     : 14854 20959

Multiple vulnerabilities have been found in the GNU texinfo package, a
documentation system for on-line information and printed output.

CVE-2005-3011
Handling of temporary files is performed in an insecure manner, allowing
an attacker to overwrite any file writable by the victim.

CVE-2006-4810
A buffer overflow in util/texindex.c could allow an attacker to execute
arbitrary code with the victim's access rights by inducing the victim to
run texindex or tex2dvi on a specially crafted texinfo file.

For the stable distribution (sarge), these problems have been fixed in
version 4.7-2.2sarge2  Note that binary packages for the mipsel
architecture are not currently available due to technical problems with
the build host.  These packages will be made available as soon as
possible.

For unstable (sid) and the upcoming stable release (etch), these
problems have been fixed in version 4.8.dfsg.1-4

We recommend that you upgrade your texinfo package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.dsc
    Size/MD5 checksum:      622 f146d738696417a3f14e04875066ef9a
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7.orig.tar.gz
    Size/MD5 checksum:  1979183 72a57e378efb9898c9e41ca839554dae
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.diff.gz
    Size/MD5 checksum:    10614 07a591b00a79ba8e2acf13d7654bf3e8

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_alpha.deb
    Size/MD5 checksum:   207720 1fce59e479c10386d5bab3d8aec99ddd
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_alpha.deb
    Size/MD5 checksum:   884956 93a3606294fd0059390b7da3c5803a1a

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_amd64.deb
    Size/MD5 checksum:   191308 035c9fb7bffa818819e6e104218d5911
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_amd64.deb
    Size/MD5 checksum:   863680 8300c746fbb75231a09229f32f57d126

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_arm.deb
    Size/MD5 checksum:   178812 d8781c075692500d4d6a799019697a72
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_arm.deb
    Size/MD5 checksum:   848862 4d31ba02e3004a5e290d6204ba402b19

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_hppa.deb
    Size/MD5 checksum:   867668 934d2a72b73c4342066f1fba21c35fff
  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_hppa.deb
    Size/MD5 checksum:   195122 07ea3515643ddb8dc29791802974ec40

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_i386.deb
    Size/MD5 checksum:   846972 eb370f53f4db1681ead784353f6711c4
  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_i386.deb
    Size/MD5 checksum:   179614 ee08c755b1eb00043173acfdae2420d7

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_ia64.deb
    Size/MD5 checksum:   912350 c99196682ffe5436a1f99da332e77f91
  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_ia64.deb
    Size/MD5 checksum:   229398 e9e6dca2f2250bd07c0605e393105339

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_m68k.deb
    Size/MD5 checksum:   171354 93b5762ecf847bba77396f08b04e225e
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_m68k.deb
    Size/MD5 checksum:   838386 2d63f36ef81c84ae8bdad8f2be5f1797

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_mips.deb
    Size/MD5 checksum:   197790 a4995ad93353790e9c65c1670013ee9d
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_mips.deb
    Size/MD5 checksum:   871394 33293634348c2de181f44a1cde80a296

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_powerpc.deb
    Size/MD5 checksum:   858718 15af021f7fcc9f8725e6148fcbc7ea45
  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_powerpc.deb
    Size/MD5 checksum:   190392 0ad24b055c5c6db61c81120a9a3931ee

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_s390.deb
    Size/MD5 checksum:   190132 5d21d2dbfe5625f0a16a9016869ebd07
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_s390.deb
    Size/MD5 checksum:   862776 79880b6208371510574f131376c01097

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_sparc.deb
    Size/MD5 checksum:   179676 ff45ad02e7f8a92ce2c99225a3671f3e
  http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_sparc.deb
    Size/MD5 checksum:   849696 5ebdcaed10e4bf038162a6a937f1bc1a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFayLpYrVLjBFATsMRAr8QAJwMUFJRrl3lqUjDNuEriBflqgbSegCeMf3b
oyYOKM9gVNPxs27TOTn/nYc=
=ECWy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F40485)

Ubuntu Security Notice 194-1 (PacketStormID:F40485)
2005-10-07 00:00:00
Ubuntu  security.ubuntu.com
advisory,arbitrary
linux,ubuntu
CVE-2005-3011
[点击下载]

Ubuntu Security Notice USN-194-1 - Frank Lichtenheld discovered that the texindex program created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running texindex.

===========================================================
Ubuntu Security Notice USN-194-1	   October 06, 2005
texinfo vulnerability
CAN-2005-3011
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

texinfo

The problem can be corrected by upgrading the affected package to
version 4.6-1ubuntu1.1 (for Ubuntu 4.10), or 4.7-2.2ubuntu1.1 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Frank Lichtenheld discovered that the "texindex" program created
temporary files in an insecure manner. This could allow a symlink
attack to create or overwrite arbitrary files with the privileges of
the user running texindex.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1.diff.gz
      Size/MD5:   125053 f97e652490198d27c6e29af9951cdc71
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1.dsc
      Size/MD5:      625 f669384d1ae30bae7c70063d9a65d31e
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6.orig.tar.gz
      Size/MD5:  1892091 5730c8c0c7484494cca7a7e2d7459c64

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_amd64.deb
      Size/MD5:   280644 31eb0286bda40317d0e33553bf1dde59
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_amd64.deb
      Size/MD5:   875828 b1c85f8b941d67dac908f8d8c4edf483

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_i386.deb
      Size/MD5:   265932 7296ff8a26d8b7c720ffe7b28347e82f
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_i386.deb
      Size/MD5:   858092 7e52b8db866cbbe2352217a03bc39b14

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.6-1ubuntu1.1_powerpc.deb
      Size/MD5:   279674 3ac6bc00d8742c696f7793aadc264ba1
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.6-1ubuntu1.1_powerpc.deb
      Size/MD5:   868758 f49ff63604c06a5077ce06f2ca64382b

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1.diff.gz
      Size/MD5:    10615 b2a3812bcfe8f069e888170c2eaf73f8
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1.dsc
      Size/MD5:      628 cee74cea6cd661b85c0f1038fa5fd0e3
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7.orig.tar.gz
      Size/MD5:  1979183 72a57e378efb9898c9e41ca839554dae

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_amd64.deb
      Size/MD5:   191328 273d9d321578a301f46a7bd0712c54e6
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_amd64.deb
      Size/MD5:   488278 8da6138a72e9261433dc8d8d90e1b725

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_i386.deb
      Size/MD5:   177586 8c60d776b23d9ba81ee600805c38dbb5
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_i386.deb
      Size/MD5:   470502 82ebb862c685c13ced8a55c5ad0a6515

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/info_4.7-2.2ubuntu1.1_powerpc.deb
      Size/MD5:   190400 983de1de47c40a3f90e549ab875ba99b
    http://security.ubuntu.com/ubuntu/pool/main/t/texinfo/texinfo_4.7-2.2ubuntu1.1_powerpc.deb
      Size/MD5:   483932 38e2d37a8d0ae17bd492e556e4d42dd0
    

- 漏洞信息 (F40457)

Gentoo Linux Security Advisory 200510-4 (PacketStormID:F40457)
2005-10-06 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-3011
[点击下载]

Gentoo Linux Security Advisory GLSA 200510-04 - Frank Lichtenheld has discovered that the sort_offline() function in texindex insecurely creates temporary files with predictable filenames. Versions less than 4.8-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200510-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Texinfo: Insecure temporary file creation
      Date: October 05, 2005
      Bugs: #106105
        ID: 200510-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Texinfo is vulnerable to symlink attacks, potentially allowing a local
user to overwrite arbitrary files.

Background
==========

Texinfo is the official documentation system created by the GNU
project.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /  Vulnerable  /                     Unaffected
    -------------------------------------------------------------------
  1  sys-apps/texinfo      < 4.8-r1                          >= 4.8-r1

Description
===========

Frank Lichtenheld has discovered that the "sort_offline()" function in
texindex insecurely creates temporary files with predictable filenames.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
texindex is executed, this would result in the file being overwritten
with the rights of the user running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Texinfo users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-apps/texinfo-4.8-r1"

References
==========

  [ 1 ] CAN-2005-3011
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息

19409
GNU Texinfo textindex.c Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-09-14 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNU Texinfo Insecure Temporary File Creation Vulnerability
Design Error 14854
No Yes
2005-09-01 12:00:00 2007-05-24 11:12:00
Frank Lichtenheld <djpig@debian.org> is credited with the discovery of this vulnerability.

- 受影响的程序版本

VMWare ESX Server 3.0.1
VMWare ESX Server 3.0
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
SILC Secure Internet Live Conferencing 1.0
SILC Secure Internet Live Conferencing 0.9.21
SILC Secure Internet Live Conferencing 0.9.20
SILC Secure Internet Live Conferencing 0.9.19
SILC Secure Internet Live Conferencing 0.9.18
SILC Secure Internet Live Conferencing 0.9.17
SILC Secure Internet Live Conferencing 0.9.16
SILC Secure Internet Live Conferencing 0.9.15
SILC Secure Internet Live Conferencing 0.9.14
SILC Secure Internet Live Conferencing 0.9.13
SILC Secure Internet Live Conferencing 0.9.12
SILC Secure Internet Live Conferencing 0.9.11
SGI ProPack 3.0 SP6
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. SuSE Linux Open-Xchange 4.1
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Professional 7.3
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. LINUX 9.1 Personal Edition CD-ROM
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1
GNU Texinfo 4.7
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
GNU Texinfo 4.6
Gentoo Linux
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Conectiva Linux 10.0
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
GNU Texinfo 4.8 R1

- 不受影响的程序版本

GNU Texinfo 4.8 R1

- 漏洞讨论

Texinfo creates temporary files in an insecure manner. The issue resides in the 'textindex.c' file.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

- 漏洞利用

An exploit is not required.

- 解决方案

Please see the referenced advisories or more information.


Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.3.9

Apple Mac OS X Server 10.4.9

VMWare ESX Server 3.0.1

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD FreeBSD 4.11 -STABLE

GNU Texinfo 4.7

FreeBSD FreeBSD 5.3

FreeBSD FreeBSD 5.3 -STABLE

FreeBSD FreeBSD 5.4 -RELENG

FreeBSD FreeBSD 6.0 -STABLE

FreeBSD FreeBSD 6.0 -RELEASE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站