CVE-2012-5630: Race Condition
First published: Thu Dec 06 2012(Updated: )
A TOCTOU (time-of-check time-of-use) race condition was found in the way libuser, a user and group account administration library, performed copying and removal of (user) directory trees. A local attacker, with permissions to write into particular directory, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of this directory (tree), if this directory was simultaneously modified (copied or removed) via libuser functionality. This issue was found by Florian Weimer of Red Hat Product Security Team.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libuser | 1:0.62~dfsg-0.4 1:0.64~dfsg-1 1:0.64~dfsg-2 | |
| SUSE Libuser | =0.57 | |
| SUSE Libuser | =0.58 | |
| Fedora | =18 | |
| Red Hat Enterprise Linux | =5.0 | |
| Red Hat Enterprise Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html
- https://access.redhat.com/security/cve/cve-2012-5630
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5630
- https://security-tracker.debian.org/tracker/CVE-2012-5630
- https://www.securityfocus.com/bid/59285
- https://bugzilla.redhat.com/show_bug.cgi?id=884685#c31
- https://access.redhat.com/security/cve/CVE-2012-5630
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=928846
- https://access.redhat.com/security/cve/CVE-2012-5644
- https://fedorahosted.org/libuser/changeset?reponame=&old=cd5a8babd110b138d40fe0d51da2e7d18069eca6%40&new=4a8a1c1c5cf4611bfbdb5d23b51b1a4110112b97%40
- https://fedorahosted.org/libuser/changeset?reponame=&old=ae3646e9ed8acea5aa64b4c35f8e2e015696093c%40&new=d094070cab7f717a5d2b17bde0a4795fab9d7239%40
- http://pkgs.fedoraproject.org/cgit/libuser.git/tree/libuser-dirtree-TOCTOU-fix.patch?id=78a55bf498cac0b430ba6512654860c39dfd0bf9
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi?id=884685
Frequently Asked Questions
What is the severity of CVE-2012-5630?
CVE-2012-5630 is classified as a moderate severity vulnerability due to its local exploitation vector.
How do I fix CVE-2012-5630?
To fix CVE-2012-5630, upgrade libuser to the latest version provided by your operating system's package manager.
Who is affected by CVE-2012-5630?
CVE-2012-5630 affects installations of libuser version 0.57 and earlier, along with specific Debian and Fedora versions.
What kind of attack can be performed using CVE-2012-5630?
A local attacker can exploit CVE-2012-5630 to conduct symbolic link attacks, leading to unauthorized access to user directory trees.
Is CVE-2012-5630 a network-based vulnerability?
No, CVE-2012-5630 is not a network-based vulnerability; it requires local access to exploit.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5630
- agent/severity
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/trending
- agent/weakness
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/libuser project
- canonical/suse libuser
- version/suse libuser/0.57
- version/suse libuser/0.58
- vendor/fedoraproject
- canonical/fedora
- version/fedora/18
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.0