Debian lustre-tests Insecure Temporary File Creation Vulnerability

Bugtraq ID:	30911
Class:	Design Error
CVE:	CVE-2008-4970
Remote:	No
Local:	Yes
Published:	Aug 24 2008 12:00AM
Updated:	Apr 16 2015 05:55PM
Credit:	Dmitry E. Oboukhov
Vulnerable:	Debian lustre-tests 1.6.5 .1 Debian lustre-tests 1.6.5
Not Vulnerable:

Debian lustre-tests Insecure Temporary File Creation Vulnerability

Debian 'lustre-tests' creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Debian 'lustre-tests' 1.6.5 and 1.6.5.1 are vulnerable; other versions may also be affected.

Debian lustre-tests Insecure Temporary File Creation Vulnerability

An attacker uses readily available commands to exploit this issue.

Debian lustre-tests Insecure Temporary File Creation Vulnerability

Solution:
Reportedly, vendor fixes are about to be released. Please see the references for more information.

Debian lustre-tests Insecure Temporary File Creation Vulnerability

References:

• Debian Bug report logs - #496371 (Dmitry E. Oboukhov)
  
• lustre-tests (Debian)