Vulnerabilities > CVE-2012-3500 - Race Condition vulnerability in Devscripts Devel Team Devscripts 2.12.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
scripts/annotate-output.sh in devscripts before 2.12.2, as used in rpmdevtools before 8.3, allows local users to modify arbitrary files via a symlink attack on the temporary (1) standard output or (2) standard error output file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1593-1.NASL description Raphael Geissert discovered that the debdiff.pl tool incorrectly handled shell metacharacters. If a user or automated system were tricked into processing a specially crafted filename, a remote attacker could possibly execute arbitrary code. (CVE-2012-0212) Raphael Geissert discovered that the dscverify tool incorrectly escaped arguments to external commands. If a user or automated system were tricked into processing specially crafted files, a remote attacker could possibly execute arbitrary code. (CVE-2012-2240) Raphael Geissert discovered that the dget tool incorrectly performed input validation. If a user or automated system were tricked into processing specially crafted files, a remote attacker could delete arbitrary files. (CVE-2012-2241) Raphael Geissert discovered that the dget tool incorrectly escaped arguments to external commands. If a user or automated system were tricked into processing specially crafted files, a remote attacker could possibly execute arbitrary code. This issue only affected Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2012-2242) Jim Meyering discovered that the annotate-output tool incorrectly handled temporary files. A local attacker could use this flaw to alter files being processed by the annotate-output tool. On Ubuntu 11.04 and later, this issue was mitigated by the Yama kernel symlink restrictions. (CVE-2012-3500). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62411 published 2012-10-03 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62411 title Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : devscripts vulnerabilities (USN-1593-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-13263.NASL description Update to upstream version 8.3, fixing among other issues a symlink attack possibility in annotate-output (CVE-2012-3500). http://git.fedorahosted.org/cgit/rpmdevtools.git/tree/NEWS?id=HEAD Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-09-12 plugin id 62053 published 2012-09-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62053 title Fedora 16 : rpmdevtools-8.3-1.fc16 (2012-13263) NASL family Fedora Local Security Checks NASL id FEDORA_2012-13234.NASL description Update to upstream version 8.3, fixing among other issues a symlink attack possibility in annotate-output (CVE-2012-3500). http://git.fedorahosted.org/cgit/rpmdevtools.git/tree/NEWS?id=HEAD Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-09-12 plugin id 62051 published 2012-09-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62051 title Fedora 17 : rpmdevtools-8.3-1.fc17 (2012-13234) NASL family Fedora Local Security Checks NASL id FEDORA_2012-13208.NASL description Update to upstream version 8.3, fixing among other issues a symlink attack possibility in annotate-output (CVE-2012-3500). http://git.fedorahosted.org/cgit/rpmdevtools.git/tree/NEWS?id=HEAD Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-09-18 plugin id 62145 published 2012-09-18 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62145 title Fedora 18 : rpmdevtools-8.3-1.fc18 (2012-13208) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-123.NASL description Updated rpmdevtools package fixes security vulnerability : A TOCTOU race condition was found in the way last seen 2020-06-01 modified 2020-06-02 plugin id 66135 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66135 title Mandriva Linux Security Advisory : rpmdevtools (MDVSA-2013:123) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-757.NASL description - Fix tmp issues in annotate-output (bnc#778291, CVE-2012-3500) last seen 2020-06-05 modified 2014-06-13 plugin id 74802 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74802 title openSUSE Security Update : deb / update-alternatives (openSUSE-SU-2012:1437-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2549.NASL description Multiple vulnerabilities have been discovered in devscripts, a set of scripts to make the life of a Debian Package maintainer easier. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them : - CVE-2012-2240 : Raphael Geissert discovered that dscverify does not perform sufficient validation and does not properly escape arguments to external commands, allowing a remote attacker (as when dscverify is used by dget) to execute arbitrary code. - CVE-2012-2241 : Raphael Geissert discovered that dget allows an attacker to delete arbitrary files when processing a specially crafted .dsc or .changes file, due to insuficient input validation. - CVE-2012-2242 : Raphael Geissert discovered that dget does not properly escape arguments to external commands when processing .dsc and .changes files, allowing an attacker to execute arbitrary code. This issue is limited with the fix for CVE-2012-2241, and had already been fixed in version 2.10.73 due to changes to the code, without considering its security implications. - CVE-2012-3500 : Jim Meyering, Red Hat, discovered that annotate-output determines the name of temporary named pipes in a way that allows a local attacker to make it abort, leading to denial of service. Additionally, a regression in the exit code of debdiff introduced in DSA-2409-1 has been fixed. last seen 2020-03-17 modified 2012-09-17 plugin id 62113 published 2012-09-17 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62113 title Debian DSA-2549-1 : devscripts - multiple vulnerabilities
References
- http://www.securityfocus.com/bid/55358
- http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087335.html
- http://www.debian.org/security/2012/dsa-2549
- https://bugzilla.redhat.com/show_bug.cgi?id=848022
- http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086159.html
- http://git.fedorahosted.org/cgit/rpmdevtools.git/commit/?id=90b4400c2ab2e80cecfd8dfdf031536376ed2cdb
- http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086138.html
- http://www.openwall.com/lists/oss-security/2012/08/31/7
- http://secunia.com/advisories/50600
- http://www.ubuntu.com/usn/USN-1593-1
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00000.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:123
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0316
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78230
- http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git%3Ba=commit%3Bh=4d23a5e6c90f7a37b0972b30f5d31dce97a93eb0