CVE-2012-5644: Infoleak
First published: Mon Dec 10 2012(Updated: )
An information disclosure flaw was found in the way libuser, an user and group account administration library, performed movement of user's home directory. Previously, during the move the ownership of all the (sub)entries present in directory tree, to be moved, were changed from privileged user account to the effective user id of the user, the home directory should belong to. A local attacker could use this flaw to conduct hardlink attacks and possibly obtain unauthorized access to arbitrary system file. This issue was found by Miloslav Trmač of Red Hat.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libuser | 1:0.62~dfsg-0.4 1:0.64~dfsg-1 1:0.64~dfsg-2 | |
| SUSE Libuser | ||
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Fedora | =18 | |
| Red Hat Enterprise Linux | =5.0 | |
| Red Hat Enterprise Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html
- https://access.redhat.com/security/cve/cve-2012-5644
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5644
- https://security-tracker.debian.org/tracker/CVE-2012-5644
- https://bugzilla.redhat.com/show_bug.cgi?id=885724#c7
- https://access.redhat.com/security/cve/CVE-2012-5644
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=928846
- https://access.redhat.com/security/cve/CVE-2012-5630
- https://fedorahosted.org/libuser/changeset?reponame=&old=cd5a8babd110b138d40fe0d51da2e7d18069eca6%40&new=4a8a1c1c5cf4611bfbdb5d23b51b1a4110112b97%40
- https://fedorahosted.org/libuser/changeset?reponame=&old=ae3646e9ed8acea5aa64b4c35f8e2e015696093c%40&new=d094070cab7f717a5d2b17bde0a4795fab9d7239%40
- http://pkgs.fedoraproject.org/cgit/libuser.git/tree/libuser-dirtree-TOCTOU-fix.patch?id=78a55bf498cac0b430ba6512654860c39dfd0bf9
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=885724#c11
- https://bugzilla.redhat.com/show_bug.cgi?id=885724
Frequently Asked Questions
What security risks are associated with CVE-2012-5644?
CVE-2012-5644 presents an information disclosure risk that can lead to unauthorized access to users' home directories.
Which systems are affected by CVE-2012-5644?
CVE-2012-5644 affects versions of libuser on Debian and Red Hat Enterprise Linux systems.
How can I mitigate the CVE-2012-5644 vulnerability?
To mitigate CVE-2012-5644, ensure that you upgrade to the patched versions of libuser as specified in the advisory.
What is the impact of exploiting CVE-2012-5644?
Exploiting CVE-2012-5644 could allow attackers to gain access to sensitive information within user home directories.
Is CVE-2012-5644 a critical vulnerability?
CVE-2012-5644 is classified as a medium-severity vulnerability, but it can lead to significant data exposure if not addressed.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5644
- agent/severity
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/libuser project
- canonical/suse libuser
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/18
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.0