Vulnerabilities > CVE-2004-0966 - Insecure Temporary File Creation vulnerability in GNU GetText
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200410-10.NASL description The remote host is affected by the vulnerability described in GLSA-200410-10 (gettext: Insecure temporary file handling) gettext insecurely creates temporary files in world-writeable directories with predictable names. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 15448 published 2004-10-11 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15448 title GLSA-200410-10 : gettext: Insecure temporary file handling code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200410-10. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(15448); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0966"); script_xref(name:"GLSA", value:"200410-10"); script_name(english:"GLSA-200410-10 : gettext: Insecure temporary file handling"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200410-10 (gettext: Insecure temporary file handling) gettext insecurely creates temporary files in world-writeable directories with predictable names. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. Workaround : There is no known workaround at this time." ); # http://www.securityfocus.com/advisories/7263 script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/advisories/7263" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200410-10" ); script_set_attribute( attribute:"solution", value: "All gettext users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sys-devel/gettext-0.14.1-r1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:gettext"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sys-devel/gettext", unaffected:make_list("ge 0.14.1-r1", "rge 0.12.1-r2"), vulnerable:make_list("lt 0.14.1-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get()); else security_note(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gettext"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-5-1.NASL description Recently, Trustix Secure Linux discovered some vulnerabilities in the gettext package. The programs last seen 2020-06-01 modified 2020-06-02 plugin id 20667 published 2006-01-15 reporter Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20667 title Ubuntu 4.10 : gettext vulnerabilities (USN-5-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-5-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20667); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2004-0966"); script_xref(name:"USN", value:"5-1"); script_name(english:"Ubuntu 4.10 : gettext vulnerabilities (USN-5-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Recently, Trustix Secure Linux discovered some vulnerabilities in the gettext package. The programs 'autopoint' and 'gettextize' created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gettext-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gettext-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gettext-el"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"gettext", pkgver:"0.14.1-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"gettext-base", pkgver:"0.14.1-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"gettext-doc", pkgver:"0.14.1-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"gettext-el", pkgver:"0.14.1-2ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gettext / gettext-base / gettext-doc / gettext-el"); }
References
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323
- http://marc.info/?l=bugtraq&m=110382652226638&w=2
- http://www.gentoo.org/security/en/glsa/glsa-200410-10.xml
- http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00000.html
- http://www.securityfocus.com/bid/11282
- http://www.trustix.org/errata/2004/0050
- http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:051
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17583
- https://www.ubuntu.com/usn/usn-5-1/