Vulnerability Note VU#401808

exuberant-ctags creates temporary files insecurely

Overview

Some versions of exuberant-ctags, a source code navigation utility, create and use temporary files insecurely, leading to local file corruption and possible denial-of-service.

I. Description

Exuberent-ctags is a source code navigation utility. It creates temporary files with predictable names in /tmp. Prior to creation, the utility does not check for existence of the temporary files. These files are created world-readable.

II. Impact

By creating symbolic links named as the temporary files, an attacker can cause exuberant-ctags to overwrite files writable by the user of exuberant-ctags. By creating similarly named files and protecting them against the user of exuberant-ctags, an attacker can deny use of this utility to a user.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Systems Affected

Vendor	Status	Date Notified
Caldera	Unknown	17-Sep-2001
Debian	Vulnerable	31-Jul-2001
RedHat	Unknown	17-Sep-2001
Sequent	Unknown	17-Sep-2001

References

http://www.securityfocus.com/bid/2614
http://www.linuxsecurity.com/advisories/debian_advisory-1286.html

Credit

This vulnerability was first reported by Colin Phipps.

This document was last modified by Tim Shimeall.

Other Information

Date Public:	2001-04-15
Date First Published:	2001-09-17
Date Last Updated:	2001-09-17
CERT Advisory:
CVE-ID(s):	CAN-2001-0430
NVD-ID(s):	CAN-2001-0430
US-CERT Technical Alerts:
Metric:	3.37
Document Revision:	4

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader