CVE-2008-4977
Summary
| CVE | CVE-2008-4977 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2008-11-06 15:55:00 UTC |
|---|
| Updated | 2023-11-07 02:02:00 UTC |
|---|
| Description | ** DISPUTED ** postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating "This is not a real issue ... users would have to edit a script under /usr/lib to enable it." |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| #496401 - please make debug code use safe tempfiles - Debian Bug report logs |
MISC |
bugs.debian.org |
|
| 235811 – mail-mta/postfix: audit wrt insecure temp file usage |
MISC |
bugs.gentoo.org |
|
| 404 Not Found |
MISC |
dev.gentoo.org |
Exploit |
| 235770 – (debian-tempfile) [Tracker] Tempfile issues found in Debian |
MISC |
bugs.gentoo.org |
|
| oss-security - CVE requests: tempfile issues for aview, mgetty, openoffice, crossfire |
MLIST |
www.openwall.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|
| Red Hat | 2008-11-06 | Tomas Hoger | Not vulnerable. This issue did not affect the versions of postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5. Mentioned script is not part of the official postfix distribution and is not included in Red Hat Enterprise Linux postfix packages. |
There are currently no legacy QID mappings associated with this CVE.
