CVE-2009-4135
Summary
| CVE | CVE-2009-4135 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-12-11 16:30:00 UTC |
| Updated | 2023-02-13 02:20:00 UTC |
| Description | The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp. |
Risk And Classification
Problem Types: CWE-59
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 10.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 10.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Fedoraproject | Fedora | 11 | All | All | All |
| Operating System | Fedoraproject | Fedora | 12 | All | All | All |
| Operating System | Fedoraproject | Fedora | 11 | All | All | All |
| Operating System | Fedoraproject | Fedora | 12 | All | All | All |
| Application | Gnu | Coreutils | 5.2.1 | All | All | All |
| Application | Gnu | Coreutils | 5.91 | All | All | All |
| Application | Gnu | Coreutils | 5.92 | All | All | All |
| Application | Gnu | Coreutils | 5.93 | All | All | All |
| Application | Gnu | Coreutils | 5.94 | All | All | All |
| Application | Gnu | Coreutils | 5.95 | All | All | All |
| Application | Gnu | Coreutils | 5.96 | All | All | All |
| Application | Gnu | Coreutils | 5.97 | All | All | All |
| Application | Gnu | Coreutils | 6.10 | All | All | All |
| Application | Gnu | Coreutils | 6.11 | All | All | All |
| Application | Gnu | Coreutils | 6.12 | All | All | All |
| Application | Gnu | Coreutils | 6.2 | All | All | All |
| Application | Gnu | Coreutils | 6.3 | All | All | All |
| Application | Gnu | Coreutils | 6.4 | All | All | All |
| Application | Gnu | Coreutils | 6.5 | All | All | All |
| Application | Gnu | Coreutils | 6.6 | All | All | All |
| Application | Gnu | Coreutils | 6.7 | All | All | All |
| Application | Gnu | Coreutils | 6.8 | All | All | All |
| Application | Gnu | Coreutils | 6.9 | All | All | All |
| Application | Gnu | Coreutils | 7.1 | All | All | All |
| Application | Gnu | Coreutils | 7.2 | All | All | All |
| Application | Gnu | Coreutils | 7.3 | All | All | All |
| Application | Gnu | Coreutils | 7.4 | All | All | All |
| Application | Gnu | Coreutils | 7.5 | All | All | All |
| Application | Gnu | Coreutils | 7.6 | All | All | All |
| Application | Gnu | Coreutils | 8.1 | All | All | All |
| Application | Gnu | Coreutils | 5.2.1 | All | All | All |
| Application | Gnu | Coreutils | 5.91 | All | All | All |
| Application | Gnu | Coreutils | 5.92 | All | All | All |
| Application | Gnu | Coreutils | 5.93 | All | All | All |
| Application | Gnu | Coreutils | 5.94 | All | All | All |
| Application | Gnu | Coreutils | 5.95 | All | All | All |
| Application | Gnu | Coreutils | 5.96 | All | All | All |
| Application | Gnu | Coreutils | 5.97 | All | All | All |
| Application | Gnu | Coreutils | 6.10 | All | All | All |
| Application | Gnu | Coreutils | 6.11 | All | All | All |
| Application | Gnu | Coreutils | 6.12 | All | All | All |
| Application | Gnu | Coreutils | 6.2 | All | All | All |
| Application | Gnu | Coreutils | 6.3 | All | All | All |
| Application | Gnu | Coreutils | 6.4 | All | All | All |
| Application | Gnu | Coreutils | 6.5 | All | All | All |
| Application | Gnu | Coreutils | 6.6 | All | All | All |
| Application | Gnu | Coreutils | 6.7 | All | All | All |
| Application | Gnu | Coreutils | 6.8 | All | All | All |
| Application | Gnu | Coreutils | 6.9 | All | All | All |
| Application | Gnu | Coreutils | 7.1 | All | All | All |
| Application | Gnu | Coreutils | 7.2 | All | All | All |
| Application | Gnu | Coreutils | 7.3 | All | All | All |
| Application | Gnu | Coreutils | 7.4 | All | All | All |
| Application | Gnu | Coreutils | 7.5 | All | All | All |
| Application | Gnu | Coreutils | 7.6 | All | All | All |
| Application | Gnu | Coreutils | 8.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| USN-2473-1: coreutils vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | Third Party Advisory |
| GNU Core Utilities "distcheck" Insecure Temporary Directory Security Issue - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| 'Re: [oss-security] CVE Request -- coreutils -- unsafe temporary' - MARC | MLIST | marc.info | Mailing List, Patch, Third Party Advisory |
| oss-security - CVE Request -- coreutils -- unsafe temporary directory location use | MLIST | www.openwall.com | Mailing List, Third Party Advisory |
| [SECURITY] Fedora 11 Update: coreutils-7.2-5.fc11 | FEDORA | www.redhat.com | Third Party Advisory |
| 60853 | OSVDB | www.osvdb.org | |
| [SECURITY] Fedora 12 Update: coreutils-7.6-8.fc12 | FEDORA | www.redhat.com | Third Party Advisory |
| Re: build: distcheck: do not leave a $TMPDIR/coreutils directory behind | MISC | www.mail-archive.com | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| Fedora update for coreutils - Secunia.com | SECUNIA | secunia.com | |
| [PATCH] doc: NEWS: mention the "make distcheck" vulnerability | MLIST | www.mail-archive.com | Mailing List, Patch |
| Re: build: distcheck: do not leave a $TMPDIR/coreutils directory behind | MLIST | www.mail-archive.com | Mailing List, Patch |
| [PATCH] doc: NEWS: mention the "make distcheck" vulnerability | MISC | www.mail-archive.com | |
| Security Advisory SA62226 - Ubuntu update for coreutils - Secunia | SECUNIA | secunia.com | |
| coreutils.git - GNU coreutils | CONFIRM | git.savannah.gnu.org | Issue Tracking, Patch |
| Bug 545439 – CVE-2009-4135 coreutils: Unsafe temporary directory use in "distcheck" rule | CONFIRM | bugzilla.redhat.com | Issue Tracking, Patch |
| GNU Coreutils Insecure Temporary File Creation Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | Permissions Required |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2010-02-26 | Joshua Bressers | This issue does not affect users using coreutils binary RPMs, or rebuilding source RPMs. Therefore, we do not plan to release updates addressing this flaw on Red Hat Enterprise Linux 3, 4 and 5. For additional details, refer to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4135 |
There are currently no legacy QID mappings associated with this CVE.