发布时间 :2006-04-11 06:02:00
修订时间 :2011-03-07 21:33:36

[原文]The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment variable is not defined, allows local users to overwrite arbitrary files via a symlink attack on temporary files in /var/tmp/fbps-[PID].

[CNNVD]Fbida FBGS 不安全临时文件创建漏洞 (CNNVD-200604-158)

        当未定义TMPDIR环境变量时,fbi包2.01-1.4中的fbgs脚本允许本地用户借助于对 /var/tmp/fbps-[PID]中的临时文件的符号链接攻击重写任意文件。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2006-1281
(UNKNOWN)  XF  fbida-fbgs-tmpdir-symlink(25729)
(UNKNOWN)  BID  17436

- 漏洞信息

Fbida FBGS 不安全临时文件创建漏洞
低危 设计错误
2006-04-11 00:00:00 2006-04-11 00:00:00
        当未定义TMPDIR环境变量时,fbi包2.01-1.4中的fbgs脚本允许本地用户借助于对 /var/tmp/fbps-[PID]中的临时文件的符号链接攻击重写任意文件。

- 公告与补丁

        fbida fbida 2.01
        Debian exiftran_2.01-1.2sarge1_alpha.deb
        Debian GNU/Linux 3.1 alias sarge rge1_alpha.deb
        Debian exiftran_2.01-1.2sarge1_amd64.deb
        Debian GNU/Linux 3.1 alias sarge rge1_amd64.deb
        Debian exiftran_2.01-1.2sarge1_arm.deb
        Debian GNU/Linux 3.1 alias sarge rge1_arm.deb
        Debian exiftran_2.01-1.2sarge1_hppa.deb
        Debian GNU/Linux 3.1 alias sarge rge1_hppa.deb
        Debian exiftran_2.01-1.2sarge1_i386.deb
        Debian GNU/Linux 3.1 alias sarge rge1_i386.deb
        Debian exiftran_2.01-1.2sarge1_ia64.deb
        Debian GNU/Linux 3.1 alias sarge rge1_ia64.deb
        Debian exiftran_2.01-1.2sarge1_m68k.deb
        Debian GNU/Linux 3.1 alias sarge rge1_m68k.deb
        Debian exiftran_2.01-1.2sarge1_mips.deb
        Debian GNU/Linux 3.1 alias sarge rge1_mips.deb
        Debian exiftran_2.01-1.2sarge1_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge rge1_mipsel.deb
        Debian exiftran_2.01-1.2sarge1_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge rge1_powerpc.deb
        Debian exiftran_2.01-1.2sarge1_s390.deb
        Debian GNU/Linux 3.1 alias sarge rge1_s390.deb
        Debian exiftran_2.01-1.2sarge1_sparc.deb
        Debian GNU/Linux 3.1 alias sarge rge1_sparc.deb
        Debian fbi_2.01-1.2sarge1_alpha.deb
        Debian GNU/Linux 3.1 alias sarge alpha.deb
        Debian fbi_2.01-1.2sarge1_amd64.deb
        Debian GNU/Linux 3.1 alias sarge amd64.deb
        Debian fbi_2.01-1.2sarge1_arm.deb
        Debian GNU/Linux 3.1 alias sarge arm.deb
        Debian fbi_2.01-1.2sarge1_hppa.deb
        Debian GNU/Linux 3.1 alias sarge hppa.deb
        Debian fbi_2.01-1.2sarge1_i386.deb
        Debian GNU/Linux 3.1 alias sarge i386.deb
        Debian fbi_2.01-1.2sarge1_ia64.deb
        Debian GNU/Linux 3.1 alias sarge ia64.deb
        Debian fbi_2.01-1.2sarge1_m68k.deb
        Debian GNU/Linux 3.1 alias sarge m68k.deb
        Debian fbi_2.01-1.2sarge1_mips.deb
        Debian GNU/Linux 3.1 alias sarge mips.deb
        Debian fbi_2.01-1.2sarge1_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge mipsel.deb
        Debian fbi_2.01-1.2sarge1_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge powerpc.deb
        Debian fbi_2.01-1.2sarge1_s390.deb
        Debian GNU/Linux 3.1 alias sarge s390.deb
        Debian fbi_2.01-1.2sarge1_sparc.deb
        Debian GNU/Linux 3.1 alias sarge sparc.deb

- 漏洞信息 (F46507)

Debian Linux Security Advisory 1068-1 (PacketStormID:F46507)
2006-05-22 00:00:00
advisory,denial of service

Debian Security Advisory 1068-1 - Jan Braun discovered that the fbgs script of fbi, an image viewer for the framebuffer environment, creates an directory in a predictable manner, which allows denial of service through symlink attacks.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1068-1                                   Moritz Muehlenhoff
May 20th, 2006                
- --------------------------------------------------------------------------

Package        : fbi
Vulnerability  : insecure temporary file
Problem-Type   : local
Debian-specific: no
CVE ID         : CVE-2006-1695
Debian Bug     : 361370

Jan Braun discovered that the fbgs script of fbi, an image viewer for
the framebuffer environment, creates an directory in a predictable manner,
which allows denial of service through symlink attacks.

For the old stable distribution (woody) this problem has been fixed in
version 1.23woody1.

For the stable distribution (sarge) this problem has been fixed in
version 2.01-1.2sarge1.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your fbi package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:
      Size/MD5 checksum:      559 4aa635f3124ac9e654ad25c11f9c1420
      Size/MD5 checksum:    58027 20831f12eaf6fd6f4faa928ad2d80428

  Alpha architecture:
      Size/MD5 checksum:    49472 6004536fd8a9210c041bf7ab4570c254

  ARM architecture:
      Size/MD5 checksum:    40320 bd6d1d6addcd838e7d0d309b6f1b424a

  Intel IA-32 architecture:
      Size/MD5 checksum:    37476 917af0dcaa790e71eef2d20d6766b472

  Intel IA-64 architecture:
      Size/MD5 checksum:    60846 8435e5bba35a1e2b82f52102dee7e255

  HP Precision architecture:
      Size/MD5 checksum:    45078 e1343c5ab373022682ea9659c17642e1

  Motorola 680x0 architecture:
      Size/MD5 checksum:    35324 3331d7b580216a5ba9590c936000b32c

  Big endian MIPS architecture:
      Size/MD5 checksum:    43206 a9234c16f320296bd2167ee97a9c193d

  Little endian MIPS architecture:
      Size/MD5 checksum:    43326 05850aa0862a75c0e9340ff3130b2e7a

  PowerPC architecture:
      Size/MD5 checksum:    40652 52a8724735c368dad3a6cce4fe2e2986

  IBM S/390 architecture:
      Size/MD5 checksum:    40358 55e2c97bb3b6e84e65220b8e36fe8bd3

  Sun Sparc architecture:
      Size/MD5 checksum:    38928 0e474d52aac9c49575e09c89cc160dc8

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:      735 af3db0f27d3d8bab9b8051dc497abaaa
      Size/MD5 checksum:     4840 66b2f2ed2577ef905865b9c18409994e
      Size/MD5 checksum:   205822 7bf21eae612fd457155533a83ab075c2

  Alpha architecture:
      Size/MD5 checksum:    29496 597e1fb3a2a44a3e130e71ee14c7818a
      Size/MD5 checksum:    67638 6a60e3c72741d6e6667d6dc256284361

  AMD64 architecture:
      Size/MD5 checksum:    24474 b59a585d73a3c28060ad56a3aa7e7f0a
      Size/MD5 checksum:    57326 3e846d45b831c55f960792a033d4eafb

  ARM architecture:
      Size/MD5 checksum:    22440 6e70ab80e54f70b63a45a0476f883ff7
      Size/MD5 checksum:    51178 a53903ec2a00b07c5eaad8acbe91dd4e

  Intel IA-32 architecture:
      Size/MD5 checksum:    22644 c62296dbeb5e1aaee865595b6edd6f61
      Size/MD5 checksum:    52126 5e8ce488ccf3ae55e9e18586c3dcad7a

  Intel IA-64 architecture:
      Size/MD5 checksum:    33838 39beccb7cb3e14c5432ca6c7c6aebaa8
      Size/MD5 checksum:    79752 c4dcf30f9d03eea3c2b88744fdb7ecb4

  HP Precision architecture:
      Size/MD5 checksum:    26856 5e3917309718e88ba92acf987511f828
      Size/MD5 checksum:    60152 9a87a9cf08571d7dde5105e44aac6b09

  Motorola 680x0 architecture:
      Size/MD5 checksum:    20692 5f02a36a487e20139fa44a6578734352
      Size/MD5 checksum:    47274 99544f2a08a563cd49e873d76a4144bb

  Big endian MIPS architecture:
      Size/MD5 checksum:    25992 265989c07aae9d76a9d1413652d550a5
      Size/MD5 checksum:    59434 db2964812374a7e991da7d590dfa9da4

  Little endian MIPS architecture:
      Size/MD5 checksum:    26058 040e3d982d77cd40118f5249e1dcd996
      Size/MD5 checksum:    59166 6ad4d70a30f65b1784269b903ea8271a

  PowerPC architecture:
      Size/MD5 checksum:    25912 24f98eff47c2ec279c37ed8e678e087a
      Size/MD5 checksum:    57236 ba603481f53226cfe797714014f2586f

  IBM S/390 architecture:
      Size/MD5 checksum:    24420 8e769aa578139330b6a1211d51cce264
      Size/MD5 checksum:    58016 ec38329e241e32e0a0bd00d114c1c65f

  Sun Sparc architecture:
      Size/MD5 checksum:    23016 4e89f15043cf08dccc1b84175e632fc2
      Size/MD5 checksum:    52440 7adbfbe748f548614c2726265dc8f680

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.4.3 (GNU/Linux)



- 漏洞信息

fbida fbgs /var/tmp/ Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-04-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Fbida FBGS Insecure Temporary File Creation Vulnerability
Design Error 17436
No Yes
2006-04-10 12:00:00 2006-12-01 08:49:00
This vulnerability was discovered by Jan Braun <>.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
Gentoo Linux
fbida fbida 2.03
fbida fbida 2.01
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0

- 漏洞讨论

The 'fbida' utilities create temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to view files and obtain privileged information. The attacker may also perform symlink attacks, overwriting arbitrary files in the context of the affected application.

A successful attack would most likely result in loss of confidentiality and theft of privileged information. Successful exploitation of a symlink attack may allow an attacker to overwrite sensitive files. This may result in a denial of service; other attacks may also be possible.

- 漏洞利用

An exploit is not required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

Please see the references for more information and vendor advisories.

fbida fbida 2.01

- 相关参考