Lucene search

K
gentooGentoo FoundationGLSA-200506-10
HistoryJun 11, 2005 - 12:00 a.m.

LutelWall: Insecure temporary file creation

2005-06-1100:00:00
Gentoo Foundation
security.gentoo.org
11

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0

Percentile

5.1%

Background

LutelWall is a high-level Linux firewall configuration tool.

Description

Eric Romang has discovered that the new_version_check() function in LutelWall insecurely creates a temporary file when updating to a new version.

Impact

A local attacker could create symbolic links in the temporary file directory, pointing to a valid file somewhere on the filesystem. When the update script is executed (usually by the root user), this would result in the file being overwritten with the rights of this user.

Workaround

There is no known workaround at this time.

Resolution

All LutelWall users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-firewall/lutelwall-0.98"
OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-firewall/lutelwall< 0.98UNKNOWN

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0

Percentile

5.1%

Related for GLSA-200506-10