CVE-2012-5630: Race Condition
First published: Thu Dec 06 2012(Updated: )
A TOCTOU (time-of-check time-of-use) race condition was found in the way libuser, a user and group account administration library, performed copying and removal of (user) directory trees. A local attacker, with permissions to write into particular directory, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of this directory (tree), if this directory was simultaneously modified (copied or removed) via libuser functionality. This issue was found by Florian Weimer of Red Hat Product Security Team.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libuser Project Libuser | =0.57 | |
| Libuser Project Libuser | =0.58 | |
| Fedoraproject Fedora | =18 | |
| Redhat Enterprise Linux | =5.0 | |
| Redhat Enterprise Linux | =6.0 | |
| debian/libuser | 1:0.62~dfsg-0.4 1:0.64~dfsg-1 1:0.64~dfsg-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html
- https://access.redhat.com/security/cve/cve-2012-5630
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5630
- https://security-tracker.debian.org/tracker/CVE-2012-5630
- https://www.securityfocus.com/bid/59285
- https://bugzilla.redhat.com/show_bug.cgi?id=884685#c31
- https://access.redhat.com/security/cve/CVE-2012-5630
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=928846
- https://access.redhat.com/security/cve/CVE-2012-5644
- https://fedorahosted.org/libuser/changeset?reponame=&old=cd5a8babd110b138d40fe0d51da2e7d18069eca6%40&new=4a8a1c1c5cf4611bfbdb5d23b51b1a4110112b97%40
- https://fedorahosted.org/libuser/changeset?reponame=&old=ae3646e9ed8acea5aa64b4c35f8e2e015696093c%40&new=d094070cab7f717a5d2b17bde0a4795fab9d7239%40
- http://pkgs.fedoraproject.org/cgit/libuser.git/tree/libuser-dirtree-TOCTOU-fix.patch?id=78a55bf498cac0b430ba6512654860c39dfd0bf9
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi?id=884685
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5630
- agent/softwarecombine
- agent/tags
- vendor/libuser project
- canonical/libuser project libuser
- version/libuser project libuser/0.57
- version/libuser project libuser/0.58
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/18
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/5.0
- version/redhat enterprise linux/6.0
- package-manager/debian