Vulnerabilities > CVE-2005-3011 - Link Following vulnerability in GNU Texinfo 4.8
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The sort_offline function for texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Symlink Attack An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating Input to File System Calls An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0727.NASL description New Texinfo packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo last seen 2020-06-01 modified 2020-06-02 plugin id 37714 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37714 title CentOS 3 / 4 : texinfo (CESA-2006:0727) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0727 and # CentOS Errata and Security Advisory 2006:0727 respectively. # include("compat.inc"); if (description) { script_id(37714); script_version("1.13"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2005-3011", "CVE-2006-4810"); script_bugtraq_id(14854, 20959); script_xref(name:"RHSA", value:"2006:0727"); script_name(english:"CentOS 3 / 4 : texinfo (CESA-2006:0727)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "New Texinfo packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo's texindex command. An attacker could construct a carefully crafted Texinfo file that could cause texindex to crash or possibly execute arbitrary code when opened. (CVE-2006-4810) A flaw was found in the way Texinfo's texindex command creates temporary files. A local user could leverage this flaw to overwrite files the user executing texindex has write access to. (CVE-2005-3011) Users of Texinfo should upgrade to these updated packages which contain backported patches and are not vulnerable to these issues." ); # https://lists.centos.org/pipermail/centos-announce/2006-November/013356.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f91cdb2f" ); # https://lists.centos.org/pipermail/centos-announce/2006-November/013372.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?44952730" ); # https://lists.centos.org/pipermail/centos-announce/2006-November/013373.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cec4dedf" ); # https://lists.centos.org/pipermail/centos-announce/2006-November/013385.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?db022d1e" ); # https://lists.centos.org/pipermail/centos-announce/2006-November/013386.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8813b5bb" ); script_set_attribute( attribute:"solution", value:"Update the affected texinfo packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:texinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/21"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"info-4.5-3.el3.1")) flag++; if (rpm_check(release:"CentOS-3", reference:"texinfo-4.5-3.el3.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"info-4.7-5.el4.2")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"info-4.7-5.el4.2")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"texinfo-4.7-5.el4.2")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"texinfo-4.7-5.el4.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "info / texinfo"); }NASL family Fedora Local Security Checks NASL id FEDORA_2006-1203.NASL description - Sun Nov 5 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-14 - Remove off-line sorting from texindex (fixes CVE-2006-4810) - Mon Oct 9 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-13 - Don last seen 2020-06-01 modified 2020-06-02 plugin id 24049 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24049 title Fedora Core 6 : texinfo-4.8-14.fc6 (2006-1203) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-1203. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(24049); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2006-1203"); script_name(english:"Fedora Core 6 : texinfo-4.8-14.fc6 (2006-1203)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Sun Nov 5 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-14 - Remove off-line sorting from texindex (fixes CVE-2006-4810) - Mon Oct 9 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-13 - Don't use mode 0666 for the texindex temporary files - Mon Oct 9 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-12 - Don't leave around temporary files used by texindex - Add missing error handling to texinfo-CVE-2005-3011.patch - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - 4.8-11.1 - rebuild - Sat Mar 25 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-11 - Split texinfo-tex from the texinfo package (#178406) - Ship COPYING, don't ship INSTALL - Sun Mar 19 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-10 - Remove incorrect Prefix : - Drop info/README - Convert change log to UTF-8 - Fri Feb 10 2006 Jesse Keating <jkeating at redhat.com> - 4.8-9.2 - bump again for double-long bug on ppc(64) - Tue Feb 7 2006 Jesse Keating <jkeating at redhat.com> - 4.8-9.1 - rebuilt for new gcc4.1 snapshot and glibc changes - Mon Jan 16 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-9 - Fix handling of bzip2'ed files (#128637) - Mon Jan 16 2006 Miloslav Trmac <mitr at redhat.com> - 4.8-8 - Ignore scriptlet failures with --excludedocs (#166958) - Don't link texindex to zlib, don't pretend to link to zlib statically - Fri Dec 9 2005 Jesse Keating <jkeating at redhat.com> - rebuilt - Fri Oct 14 2005 Tim Waugh <twaugh at redhat.com> 4.8-7 - Apply patch to fix CVE-2005-3011 (bug #169585). - Thu Jun 9 2005 Tim Waugh <twaugh at redhat.com> 4.8-6 - Ship texi2pdf man page, taken from tetex-2.0.2 RPM. - Tue Jun 7 2005 Tim Waugh <twaugh at redhat.com> 4.8-5 - Ship texi2pdf (bug #147271). - Mon Mar 14 2005 Tim Waugh <twaugh at redhat.com> 4.8-4 - Requires tetex (bug #151075). - Wed Mar 2 2005 Tim Waugh <twaugh at redhat.com> 4.8-3 - Rebuild for new GCC. - Mon Feb 7 2005 Tim Waugh <twaugh at redhat.com> 4.8-2 - Don't ship texi2pdf (bug #147271). - Thu Feb 3 2005 Tim Waugh <twaugh at redhat.com> 4.8-1 - 4.8. - Thu Dec 30 2004 Tim Waugh <twaugh at redhat.com> 4.7-6 - Fixed URL (bug #143729). - Thu Aug 12 2004 Tim Waugh <twaugh at redhat.com> 4.7-5 - Rebuilt. - Wed Jul 7 2004 Tim Waugh <twaugh at redhat.com> 4.7-4 - Build for FC2. - Tue Jun 29 2004 Tim Waugh <twaugh at redhat.com> 4.7-3 - Fix grouping in user-defined macros. - Mon Jun 28 2004 Tim Waugh <twaugh at redhat.com> 4.7-2 [plus 162 lines in the Changelog] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2006-November/000852.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fb19d12c" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:texinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:texinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:texinfo-tex"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC6", reference:"info-4.8-14.fc6")) flag++; if (rpm_check(release:"FC6", reference:"texinfo-4.8-14.fc6")) flag++; if (rpm_check(release:"FC6", reference:"texinfo-debuginfo-4.8-14.fc6")) flag++; if (rpm_check(release:"FC6", reference:"texinfo-tex-4.8-14.fc6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "info / texinfo / texinfo-debuginfo / texinfo-tex"); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-991.NASL description This package fixes a temporary file name vulnerability in the texindex program (CVE-2005-3011). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20026 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20026 title Fedora Core 4 : texinfo-4.8-4.1 (2005-991) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-991. # include("compat.inc"); if (description) { script_id(20026); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2005-991"); script_name(english:"Fedora Core 4 : texinfo-4.8-4.1 (2005-991)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This package fixes a temporary file name vulnerability in the texindex program (CVE-2005-3011). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-October/001484.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e5d1efbd" ); script_set_attribute( attribute:"solution", value:"Update the affected info, texinfo and / or texinfo-debuginfo packages." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:texinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:texinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:4"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 4.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC4", reference:"info-4.8-4.1")) flag++; if (rpm_check(release:"FC4", reference:"texinfo-4.8-4.1")) flag++; if (rpm_check(release:"FC4", reference:"texinfo-debuginfo-4.8-4.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "info / texinfo / texinfo-debuginfo"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200510-04.NASL description The remote host is affected by the vulnerability described in GLSA-200510-04 (Texinfo: Insecure temporary file creation) Frank Lichtenheld has discovered that the last seen 2020-06-01 modified 2020-06-02 plugin id 19974 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19974 title GLSA-200510-04 : Texinfo: Insecure temporary file creation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200510-04. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(19974); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-3011"); script_bugtraq_id(14854); script_xref(name:"GLSA", value:"200510-04"); script_name(english:"GLSA-200510-04 : Texinfo: Insecure temporary file creation"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200510-04 (Texinfo: Insecure temporary file creation) Frank Lichtenheld has discovered that the 'sort_offline()' function in texindex insecurely creates temporary files with predictable filenames. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When texindex is executed, this would result in the file being overwritten with the rights of the user running the application. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200510-04" ); script_set_attribute( attribute:"solution", value: "All Texinfo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sys-apps/texinfo-4.8-r1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:texinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sys-apps/texinfo", unaffected:make_list("ge 4.8-r1"), vulnerable:make_list("lt 4.8-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get()); else security_note(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Texinfo"); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-990.NASL description This package fixes a temporary file name vulnerability in the texindex program (CVE-2005-3011). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20025 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20025 title Fedora Core 3 : texinfo-4.8-2.2 (2005-990) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0727.NASL description From Red Hat Security Advisory 2006:0727 : New Texinfo packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo last seen 2020-06-01 modified 2020-06-02 plugin id 67419 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67419 title Oracle Linux 3 / 4 : texinfo (ELSA-2006-0727) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0727-1.NASL description New Texinfo packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo last seen 2020-06-01 modified 2020-06-02 plugin id 67037 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67037 title CentOS 3 / 4 : texinfo (CESA-2006:0727-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-194-1.NASL description Frank Lichtenheld discovered that the last seen 2020-06-01 modified 2020-06-02 plugin id 20608 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20608 title Ubuntu 4.10 / 5.04 : texinfo vulnerability (USN-194-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0727.NASL description New Texinfo packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo last seen 2020-06-01 modified 2020-06-02 plugin id 23678 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23678 title RHEL 2.1 / 3 / 4 : texinfo (RHSA-2006:0727) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1219.NASL description Multiple vulnerabilities have been found in the GNU texinfo package, a documentation system for on-line information and printed output. - CVE-2005-3011 Handling of temporary files is performed in an insecure manner, allowing an attacker to overwrite any file writable by the victim. - CVE-2006-4810 A buffer overflow in util/texindex.c could allow an attacker to execute arbitrary code with the victim last seen 2020-06-01 modified 2020-06-02 plugin id 23742 published 2006-11-30 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23742 title Debian DSA-1219-1 : texinfo - buffer overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-175.NASL description Frank Lichtenheld has discovered that texindex insecurely creates temporary files with predictable filenames. This is exploitable if a local attacker were to create symbolic links in the temporary files directory, pointing to a valid file on the filesystem. When texindex is executed, the file would be overwitten with the rights of the user running texindex. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 19984 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19984 title Mandrake Linux Security Advisory : texinfo (MDKSA-2005:175) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-005.NASL description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2007-005 applied. This update fixes security flaws in the following applications : Alias Manager BIND CoreGraphics crontabs fetchmail file iChat mDNSResponder PPP ruby screen texinfo VPN last seen 2020-06-01 modified 2020-06-02 plugin id 25297 published 2007-05-25 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25297 title Mac OS X Multiple Vulnerabilities (Security Update 2007-005)
Oval
| accepted | 2013-04-29T04:06:54.832-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | The sort_offline function for texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10589 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | The sort_offline function for texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. | ||||||||||||||||||||
| version | 25 |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | Apple Mac OS X是一款基于BSD的商业性质的操作系统。 Apple Mac OS X存在多个安全问题,远程攻击者可以利用漏洞进行拒绝服务,执行任意代码,提升特权等攻击。 CVE-ID: CVE-2007-0740 Alias Manager在部分条件可以使用户打开恶意文件,导致特权提升。 CVE-ID: CVE-2007-0493, CVE-2007-0494, CVE-2006-4095, CVE-2006-4096: BIND服务程序存在多个安全问题,可导致拒绝服务攻击。 CVE-ID: CVE-2007-0750 CoreGraphics在打开特殊构建的PDF文件时可触发溢出,导致任意代码执行。 CVE-ID: CVE-2007-0751 当每日清楚脚本执行时,/tmp目录中的挂接的文件系统可被删除。 CVE-ID: CVE-2007-1558 fetchmail加密存在安全问题,可导致泄露密码信息。 CVE-ID: CVE-2007-1536 运行file命令打开特殊构建的文件可导致任意代码执行或拒绝服务攻击。 CVE-ID: CVE-2007-2390 iChat用于在家用NAT网关上建立端口映射的UPnP IGD代码存在缓冲区溢出,构建恶意报文可导致任意代码执行。 CVE-ID: CVE-2007-0752 PPP守护进程在通过命令行装载插件时可导致特权提升。 CVE-ID: CVE-2006-5467, CVE-2006-6303 Ruby CGI库存在多个拒绝服务攻击。 CVE-ID: CVE-2006-4573 GNU Screen存在多个拒绝服务问题。 CVE-ID: CVE-2005-3011 texinfo存在漏洞允许任意文件被覆盖。 CVE-ID: CVE-2007-0753 vpnd存在格式串问题,可用于提升特权。 Cosmicperl Directory Pro 10.0.3 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X Server 10.2.8 Apple Mac OS X Server 10.2.7 Apple Mac OS X Server 10.2.6 Apple Mac OS X Server 10.2.5 Apple Mac OS X Server 10.2.4 Apple Mac OS X Server 10.2.3 Apple Mac OS X Server 10.2.2 Apple Mac OS X Server 10.2.1 Apple Mac OS X Server 10.2 Apple Mac OS X Server 10.1.5 Apple Mac OS X Server 10.1.4 Apple Mac OS X Server 10.1.3 Apple Mac OS X Server 10.1.2 Apple Mac OS X Server 10.1.1 Apple Mac OS X Server 10.1 Apple Mac OS X Server 10.0 Apple Mac OS X Preview.app 3.0.8 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 Apple Mac OS X 10.2.8 Apple Mac OS X 10.2.7 Apple Mac OS X 10.2.6 Apple Mac OS X 10.2.5 Apple Mac OS X 10.2.4 Apple Mac OS X 10.2.3 Apple Mac OS X 10.2.2 Apple Mac OS X 10.2.1 Apple Mac OS X 10.2 Apple Mac OS X 10.1.5 Apple Mac OS X 10.1.4 Apple Mac OS X 10.1.3 Apple Mac OS X 10.1.2 Apple Mac OS X 10.1.1 Apple Mac OS X 10.1 Apple Mac OS X 10.1 Apple Mac OS X 10.0.4 Apple Mac OS X 10.0.3 Apple Mac OS X 10.0.2 Apple Mac OS X 10.0.1 Apple Mac OS X 10.0 3 Apple Mac OS X 10.0 升级程序: Apple Mac OS X Server 10.3.9 * Apple SecUpdSrvr2007-005Pan.dmg <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13993&cat=" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13993&cat=</a> 1&platform=osx&method=sa/SecUpdSrvr2007-005Pan.dmg Apple Mac OS X 10.3.9 * Apple SecUpd2007-005Pan.dmg <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13992&cat=" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13992&cat=</a> 1&platform=osx&method=sa/SecUpd2007-005Pan.dmg Apple Mac OS X Server 10.4.9 * Apple SecUpd2007-005Ti.dmg <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat=" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat=</a> 1&platform=osx&method=sa/SecUpd2007-005Ti.dmg * Apple SecUpd2007-005Univ.dmg <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat=" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat=</a> 1&platform=osx&method=sa/SecUpd2007-005Univ.dmg Apple Mac OS X 10.4.9 * Apple SecUpd2007-005Ti.dmg <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat=" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat=</a> 1&platform=osx&method=sa/SecUpd2007-005Ti.dmg * Apple SecUpd2007-005Univ.dmg <a href="http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat=" target="_blank">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat=</a> 1&platform=osx&method=sa/SecUpd2007-005Univ.dmg |
| id | SSV:1795 |
| last seen | 2017-11-19 |
| modified | 2007-05-25 |
| published | 2007-05-25 |
| reporter | Root |
| title | Apple Mac OS X 2007-005多个安全漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Updated packages to correct this issue are available along with our advisory: http://rhn.redhat.com/errata/CVE-2005-3011.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc
- ftp://patches.sgi.com/support/free/security/advisories/20061101-01-P
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365
- http://docs.info.apple.com/article.html?artnum=305530
- http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
- http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
- http://secunia.com/advisories/16816
- http://secunia.com/advisories/17070
- http://secunia.com/advisories/17076
- http://secunia.com/advisories/17093
- http://secunia.com/advisories/17211
- http://secunia.com/advisories/17215
- http://secunia.com/advisories/18401
- http://secunia.com/advisories/22929
- http://secunia.com/advisories/23112
- http://secunia.com/advisories/24788
- http://secunia.com/advisories/25402
- http://securitytracker.com/id?1014992
- http://securitytracker.com/id?1015468
- http://www.debian.org/security/2006/dsa-1219
- http://www.gentoo.org/security/en/glsa/glsa-200510-04.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:175
- http://www.novell.com/linux/security/advisories/2005_23_sr.html
- http://www.redhat.com/support/errata/RHSA-2006-0727.html
- http://www.securityfocus.com/archive/1/464745/100/0/threaded
- http://www.securityfocus.com/bid/14854
- http://www.ubuntu.com/usn/usn-194-1
- http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
- http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
- http://www.vupen.com/english/advisories/2007/1267
- http://www.vupen.com/english/advisories/2007/1939
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10589