Debian scratchbox2 Insecure Temporary File Creation Vulnerabilities

Bugtraq ID:	30969
Class:	Design Error
CVE:	CVE-2008-4984
Remote:	No
Local:	Yes
Published:	Aug 24 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	Dmitry E. Oboukhov
Vulnerable:	Debian scratchbox2 1.99 .24-1
Not Vulnerable:	Debian scratchbox2 1.99 .24-2

Debian scratchbox2 Insecure Temporary File Creation Vulnerabilities

Debian scratchbox2 creates temporary files in an insecure manner.

An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.

Debian scratchbox2 1.99.0.24-1 is vulnerable; other versions may also be affected.

Debian scratchbox2 Insecure Temporary File Creation Vulnerabilities

An attacker uses readily available commands to exploit these issues.

Debian scratchbox2 Insecure Temporary File Creation Vulnerabilities

Solution:
Reportedly, Debian fixes are about to be released. Please see the references for more information.

Debian scratchbox2 Insecure Temporary File Creation Vulnerabilities

References:

• #496409 The possibility of attack with the help of symlinks in some Debian packa (Debian)
  
• Package: scratchbox2 (Debian)