Vulnerability Bulletins

int(1888)

Vulnerability Bulletins

Creación insegura de ficheros temporales en Vixie cron
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Aumento de la visibilidad
Dificulty	Avanzado
Required attacker level	Acceso remoto con cuenta
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	Vixie cron <=4.1
Description
Se ha descubierto una vulnerabilidad en Vixie cron 4.1 y anteriores. La vulnerabilidad reside en que crontab, cuando la opción "-e" está activada, crea ficheros temporales de forma insegura. Un atacante local podría leer ficheros arbitrarios, mediante un ataque de enlace simbólico.
Solution
Actualización de software Red Hat Red Hat Desktop (v. 4) / SRPMS vixie-cron-4.1-36.EL4.src.rpm Red Hat Desktop (v. 4) / IA-32 vixie-cron-4.1-36.EL4.i386.rpm Red Hat Desktop (v. 4) / x86_64 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Enterprise Linux AS (v. 4) / SRPMS vixie-cron-4.1-36.EL4.src.rpm Red Hat Enterprise Linux AS (v. 4) / IA-32 vixie-cron-4.1-36.EL4.i386.rpm Red Hat Enterprise Linux AS (v. 4) / IA-64 vixie-cron-4.1-36.EL4.ia64.rpm Red Hat Enterprise Linux AS (v. 4) / PPC vixie-cron-4.1-36.EL4.ppc.rpm Red Hat Enterprise Linux AS (v. 4) / s390 vixie-cron-4.1-36.EL4.s390.rpm Red Hat Enterprise Linux AS (v. 4) / s390x vixie-cron-4.1-36.EL4.s390x.rpm Red Hat Enterprise Linux AS (v. 4) / x86_64 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Enterprise Linux ES (v. 4) / SRPMS vixie-cron-4.1-36.EL4.src.rpm Red Hat Enterprise Linux ES (v. 4) / IA-32 vixie-cron-4.1-36.EL4.i386.rpm Red Hat Enterprise Linux ES (v. 4) / IA-64 vixie-cron-4.1-36.EL4.ia64.rpm Red Hat Enterprise Linux ES (v. 4) / x86_64 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Enterprise Linux WS (v. 4) / SRPMS vixie-cron-4.1-36.EL4.src.rpm Red Hat Enterprise Linux WS (v. 4) / IA-32 vixie-cron-4.1-36.EL4.i386.rpm Red Hat Enterprise Linux WS (v. 4) / IA-64 vixie-cron-4.1-36.EL4.ia64.rpm Red Hat Enterprise Linux WS (v. 4) / x86_64 vixie-cron-4.1-36.EL4.x86_64.rpm Red Hat Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) https://rhn.redhat.com/ SGI Advanced Linux Environment 3 / RPM / Patch 10291 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS Advanced Linux Environment 3 / SRPM / Patch 10291 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux
Standar resources
Property	Value
CVE	CAN-2005-1038
BID	13024
Other resources
Red Hat Security Advisory (RHSA-2005:361-19) https://rhn.redhat.com/errata/RHSA-2005-361.html Red Hat Security Advisory (RHSA-2006:0117-7) https://rhn.redhat.com/errata/RHSA-2006-0117.html SGI Security Advisory (20060401-01-U) ftp://patches.sgi.com/support/free/security/advisories/20060401-01.U.asc SUSE Security Summary Report (SUSE-SR:2007:007) http://www.novell.com/linux/security/advisories/2007_007_suse.html

Version history
Version	Comments	Date
1.0	Aviso emitido	2005-10-17
1.1	Aviso emitido por Red Hat (RHSA-2006:0117-7)	2006-03-16
1.2	Aviso emitido por SGI (20060401-01-U)	2006-04-05
1.3	Aviso emitido por Suse (SUSE-SR:2007:007)	2007-04-27

Vulnerability Bulletins

Creación insegura de ficheros temporales en Vixie cron

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history