Vulnerability Note VU#35842

man 'makewhatis' insecurely uses /tmp

Original Release date: 18 Jun 2001 | Last revised: 18 Jun 2001

Overview

The 'makewhatis' script in the Linux man package allows local users to overwrite files via a symlink attack.

Description

The 'makewhatis' program is a Bourne shell script that ships with many Linux distributions in the 'man' package of programs. The 'makewhatis' script creates files in the /tmp directory with predictable names. By using various symlink attacks, it is possible for local users to exploit this predictability to create or modify arbitrary files and gain elevated privilege. In addition, the 'makewhatis' script is run daily to rebuild the database used by the 'whatis' command. Local users may be able to read any system file by forcing a copy of it into the 'whatis' database.

The man package version 1.5e and higher is vulnerable to this flaw.

Impact

Many distributions of Linux contain the 'man' package. The vulnerability in 'makewhatis' can be exploited by local users to corrupt privileged (root) files on the system or to gain elevated privileges.

Solution

Versions of Linux in affected distributions should be upgraded.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected07 Jun 200015 Jun 2001
ConectivaAffected27 Jul 200015 Jun 2001
MandrakeSoftAffected07 Jul 200015 Jun 2001
RedHatAffected-15 Jun 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Red Hat for the information contained in their security advisory.

This document was written by Andrew P. Moore.

Other Information

  • CVE IDs: CVE-2000-0566
  • Date Public: 03 Jul 2000
  • Date First Published: 18 Jun 2001
  • Date Last Updated: 18 Jun 2001
  • Severity Metric: 3.04
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.