https://bugzilla.redhat.com/show_bug.cgi?id=1267962
Bug ID: 1267962 Summary: perl-IPTables-Parse: Use of predictable names for temporary files Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: mitr@redhat.com, perl-devel@lists.fedoraproject.org, tremble@tremble.org.uk
A vulnerability in perl-IPTables-Parse was found, when using predictable file names for its temporary files. This vulnerability allows attacker on a multi-user system to set up symlinks to overwrite any file the current user has write access to.
Note that perl-IPTables-Parse is also used by fwsnort and perl-IPTables-ChainMgr, which is used by psad.
Upstream patch:
https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7...
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1267963 Depends On| |1267964 Depends On| |1267965
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created perl-IPTables-Parse tracking bugs for this issue:
Affects: fedora-all [bug 1267963] Affects: epel-5 [bug 1267964] Affects: epel-6 [bug 1267965]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1267963 [Bug 1267963] perl-IPTables-Parse: Use of predictable names for temporary files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1267964 [Bug 1267964] perl-IPTables-Parse: Use of predictable names for temporary files [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1267965 [Bug 1267965] perl-IPTables-Parse: Use of predictable names for temporary files [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- perl-IPTables-Parse-1.5-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1267962 Bug 1267962 depends on bug 1267963, which changed state.
Bug 1267963 Summary: perl-IPTables-Parse: Use of predictable names for temporary files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1267963
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- perl-IPTables-Parse-1.5-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- perl-IPTables-Parse-1.5-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mprpic@redhat.com
--- Comment #5 from Martin Prpic mprpic@redhat.com --- *** Bug 1284922 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |IPTables-Parse 1.6
--- Comment #6 from Martin Prpic mprpic@redhat.com --- CVE request:
http://seclists.org/oss-sec/2015/q4/366
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2015-8326
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|perl-IPTables-Parse: Use of |CVE-2015-8326 |predictable names for |perl-IPTables-Parse: Use of |temporary files |predictable names for | |temporary files
https://bugzilla.redhat.com/show_bug.cgi?id=1267962
--- Comment #7 from Adam Mariš amaris@redhat.com --- Acknowledgments:
This issue was discovered by Miloslav Trmač of Red Hat.
https://bugzilla.redhat.com/show_bug.cgi?id=1267962 Bug 1267962 depends on bug 1267964, which changed state.
Bug 1267964 Summary: CVE-2015-8326 perl-IPTables-Parse: Use of predictable names for temporary files [epel-5] https://bugzilla.redhat.com/show_bug.cgi?id=1267964
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
perl-devel@lists.fedoraproject.org