CVE-2012-5660: Race Condition
First published: Mon Dec 17 2012(Updated: )
A race condition was found in the way abrt handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, allowing them to make any file writable by the abrt user, allowing them to escalate their privileges to the privileged system user account, root. This issue was assigned <a href="https://access.redhat.com/security/cve/CVE-2012-5660">CVE-2012-5660</a>. Acknowledgements: Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Automatic Bug Reporting Tool | <=2.0.9 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.0 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.1 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.2 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.3 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.4 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.4.980 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.4.981 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.5 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.6 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.7 | |
| Red Hat Automatic Bug Reporting Tool | =2.0.8 |
Remedy
http://git.fedorahosted.org/cgit/libreport.git/commit/?id=3bbf961b1884dd32654dd39b360dd78ef294b10a
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.fedorahosted.org/cgit/libreport.git/commit/?id=3bbf961b1884dd32654dd39b360dd78ef294b10a
- http://rhn.redhat.com/errata/RHSA-2013-0215.html
- https://bugzilla.redhat.com/show_bug.cgi?id=887866
- https://access.redhat.com/security/cve/CVE-2012-5660
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=906280
- https://rhn.redhat.com/errata/RHSA-2013-0215.html
Frequently Asked Questions
What is the severity of CVE-2012-5660?
CVE-2012-5660 is classified as a moderate severity vulnerability.
How do I fix CVE-2012-5660?
To fix CVE-2012-5660, update the Red Hat Automatic Bug Reporting Tool to version 2.0.9 or later.
Who is affected by CVE-2012-5660?
CVE-2012-5660 affects local users with the privileges of the abrt user on systems running the specified versions of the Red Hat Automatic Bug Reporting Tool.
What type of attack does CVE-2012-5660 allow?
CVE-2012-5660 allows a symbolic link attack, enabling a local attacker to manipulate files writable by the abrt user.
When was CVE-2012-5660 disclosed?
CVE-2012-5660 was disclosed in 2012.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5660
- agent/references
- agent/remedy
- agent/author
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat automatic bug reporting tool
- version/red hat automatic bug reporting tool/2.0.9
- version/red hat automatic bug reporting tool/2.0.0
- version/red hat automatic bug reporting tool/2.0.1
- version/red hat automatic bug reporting tool/2.0.2
- version/red hat automatic bug reporting tool/2.0.3
- version/red hat automatic bug reporting tool/2.0.4
- version/red hat automatic bug reporting tool/2.0.4.980
- version/red hat automatic bug reporting tool/2.0.4.981
- version/red hat automatic bug reporting tool/2.0.5
- version/red hat automatic bug reporting tool/2.0.6
- version/red hat automatic bug reporting tool/2.0.7
- version/red hat automatic bug reporting tool/2.0.8