Vulnerability Note VU#35842
man 'makewhatis' insecurely uses /tmp
The 'makewhatis' script in the Linux man package allows local users to overwrite files via a symlink attack.
The 'makewhatis' program is a Bourne shell script that ships with many Linux distributions in the 'man' package of programs. The 'makewhatis' script creates files in the /tmp directory with predictable names. By using various symlink attacks, it is possible for local users to exploit this predictability to create or modify arbitrary files and gain elevated privilege. In addition, the 'makewhatis' script is run daily to rebuild the database used by the 'whatis' command. Local users may be able to read any system file by forcing a copy of it into the 'whatis' database.
The man package version 1.5e and higher is vulnerable to this flaw.
Many distributions of Linux contain the 'man' package. The vulnerability in 'makewhatis' can be exploited by local users to corrupt privileged (root) files on the system or to gain elevated privileges.
Versions of Linux in affected distributions should be upgraded.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Caldera||Affected||07 Jun 2000||15 Jun 2001|
|Conectiva||Affected||27 Jul 2000||15 Jun 2001|
|MandrakeSoft||Affected||07 Jul 2000||15 Jun 2001|
|RedHat||Affected||-||15 Jun 2001|
CVSS Metrics (Learn More)
Thanks to Red Hat for the information contained in their security advisory.
This document was written by Andrew P. Moore.
- CVE IDs: CVE-2000-0566
- Date Public: 03 Jul 2000
- Date First Published: 18 Jun 2001
- Date Last Updated: 18 Jun 2001
- Severity Metric: 3.04
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.