- Vulnerability/
- CVE-2012-3500
CVE-2012-3500
First published: Tue Aug 14 2012(Updated: )
A TOCTOU race condition was found in the way 'annotate-output' (used to execute a program annotating the output linewise with time and stream) tool of rpmdevtools, a suite of scripts and (X)Emacs support files to aid in development of RPM packages, performed management of its temporary files used for standard output and standard error output. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability in an unauthorized way to alter files belonging to the user running the 'annotate-output' tool. Issue found by Jim Meyering of Red Hat.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Devscripts Devel Team Devscripts | <=2.12.1 | |
| Devscripts Devel Team Devscripts | =2.12.0 | |
| Fedora Rpmdevtools | <=8.2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=604260&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=604260&action=edit
- https://access.redhat.com/security/cve/CVE-2012-3500
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=853452
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=848022#c0
- http://thread.gmane.org/gmane.comp.security.oss.general/8277/focus=8286
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=848022#c8
- https://bugzilla.redhat.com/show_bug.cgi?id=848022
- http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git%3Ba=commit%3Bh=4d23a5e6c90f7a37b0972b30f5d31dce97a93eb0
- http://git.fedorahosted.org/cgit/rpmdevtools.git/commit/?id=90b4400c2ab2e80cecfd8dfdf031536376ed2cdb
- http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086138.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086159.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087335.html
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00000.html
- http://secunia.com/advisories/50600
- http://www.debian.org/security/2012/dsa-2549
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:123
- http://www.openwall.com/lists/oss-security/2012/08/31/7
- http://www.securityfocus.com/bid/55358
- http://www.ubuntu.com/usn/USN-1593-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78230
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0316
- collector/redhat-bugzilla
- alias/CVE-2012-3500
- collector/nvd-index
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- vendor/devscripts devel team
- canonical/devscripts devel team devscripts
- version/devscripts devel team devscripts/2.12.1
- version/devscripts devel team devscripts/2.12.0
- vendor/fedora
- canonical/fedora rpmdevtools
- version/fedora rpmdevtools/8.2-1