Title: XFree86 4.0.1 /tmp Vulnerabilities
Severity: MODERATE
Description:
A number of vulnerabilities exist in XFree86 4.0.1 and priors handling and use of files in /tmp. They are as follows:
XFree86 4.0.1 and prior, when installed from source, creates manpage aliases as temporary files in /tmp, prior to being installed in /usr/X11R6/man. The temporary filenames are based on the process id. It is rm'd before being overwritten, however shell redirection, without noclobber being set. Exploiting this vulnerability requires predicting the UID, and racing the installation script creation of these files after removing them. This should not be difficult.
gccmakedep uses /tmp insecurely, and uses mktemp() in the 3.3.x branch.
imake, under Linux, uses tmpnam() insecurely when determining the version of libc, and in the 4.0 version, uses mktemp(), which makes the filename further predictable.
xman uses mktemp() insecurely.
libXaw uses tmpnam() insecurely.
Affected Products:
- Debian Linux 2.2.0
- RedHat Linux 6.2.0
- RedHat Linux 7.0.0
- XFree86 X11R6 3.3.3
- XFree86 X11R6 3.3.4
- XFree86 X11R6 3.3.5
- XFree86 X11R6 3.3.6
- XFree86 X11R6 4.0.0
- XFree86 X11R6 4.0.1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
