ID GLSA-200710-22 Type gentoo Reporter Gentoo Foundation Modified 2007-12-30T00:00:00
Description
Background
TRAMP is a remote file editing package for GNU Emacs, a highly extensible and customizable text editor.
Description
Stefan Monnier discovered that the tramp-make-tramp-temp-file() function creates temporary files in an insecure manner.
Impact
A local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running TRAMP. When TRAMP writes the temporary file, the target valid file would then be overwritten with the contents of the TRAMP temporary file.
Workaround
There is no known workaround at this time.
Resolution
All TRAMP users should upgrade to the latest version:
{"published": "2007-10-20T00:00:00", "id": "GLSA-200710-22", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "vulnersScore": 7.2}, "hash": "a4ff335be9d11c7fe04f3fe2a850b21e8632cda0ac2cfa4ebe0addb181494533", "description": "### Background\n\nTRAMP is a remote file editing package for GNU Emacs, a highly extensible and customizable text editor. \n\n### Description\n\nStefan Monnier discovered that the tramp-make-tramp-temp-file() function creates temporary files in an insecure manner. \n\n### Impact\n\nA local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running TRAMP. When TRAMP writes the temporary file, the target valid file would then be overwritten with the contents of the TRAMP temporary file. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll TRAMP users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emacs/tramp-2.1.10-r2\"", "type": "gentoo", "lastseen": "2016-09-06T19:46:10", "edition": 1, "title": "TRAMP: Insecure temporary file creation", "href": "https://security.gentoo.org/glsa/200710-22", "modified": "2007-12-30T00:00:00", "bulletinFamily": "unix", "viewCount": 1, "cvelist": ["CVE-2007-5377"], "affectedPackage": [{"packageVersion": "2.1.10-r2", "packageName": "app-emacs/tramp", "packageFilename": "UNKNOWN", "operator": "lt", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}], "references": ["https://bugs.gentoo.org/show_bug.cgi?id=194713", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5377"], "reporter": "Gentoo Foundation", "hashmap": [{"hash": "0a92ca165bd0e9d5fe93e46fee77f557", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "454153f0fdc951c7dfdc7d0df65e9808", "key": "cvelist"}, {"hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9", "key": "cvss"}, {"hash": "406c6ce2c13ab7a7309934827ccc60b8", "key": "description"}, {"hash": "fec0e52ccfd8b0d557908976439da647", "key": "href"}, {"hash": "52b5769b7b79ad1523ef48aff6c6b99f", "key": "modified"}, {"hash": "777d45bbbcdf50d49c42c70ad7acf5fe", "key": "objectVersion"}, {"hash": "d57fa8e44428655a94e3175b1b89d7f9", "key": "published"}, {"hash": "cf6dd47b2accade06a531b8ac5374e26", "key": "references"}, {"hash": "ac1fd6b3deacaf22b54dd1934ae33181", "key": "reporter"}, {"hash": "b26ab9b43125915eccaf67e606b3f378", "key": "title"}, {"hash": "365d0fc7d6206ff26e2f2c2a78c91a94", "key": "type"}], "objectVersion": "1.2"}
{"cve": [{"lastseen": "2016-09-03T09:37:23", "references": ["http://www.gentoo.org/security/en/glsa/glsa-200710-22.xml", "http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html", "http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00158.html", "http://bugs.gentoo.org/show_bug.cgi?id=194713", "http://www.securityfocus.com/bid/26072"], "edition": 1, "description": "The (1) tramp-make-temp-file and (2) tramp-make-tramp-temp-file functions in Tramp 2.1.10 extension for Emacs, and possibly earlier 2.1.x versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.", "reporter": "NVD", "published": "2007-10-11T20:17:00", "type": "cve", "title": "CVE-2007-5377", "enchantments": {"score": {"modified": "2016-09-03T09:37:23", "vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-5377"], "scanner": [], "modified": "2011-03-07T22:00:35", "cpe": ["cpe:/a:gnu:tramp:2.1.10"], "id": "CVE-2007-5377", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5377", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-02T00:03:22", "references": ["https://security.gentoo.org/glsa/200710-22"], "pluginID": "27554", "description": "The remote host is affected by the vulnerability described in GLSA-200710-22 (TRAMP: Insecure temporary file creation)\n\n Stefan Monnier discovered that the tramp-make-tramp-temp-file() function creates temporary files in an insecure manner.\n Impact :\n\n A local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running TRAMP. When TRAMP writes the temporary file, the target valid file would then be overwritten with the contents of the TRAMP temporary file.\n Workaround :\n\n There is no known workaround at this time.", "edition": 5, "reporter": "Tenable", "published": "2007-10-25T00:00:00", "title": "GLSA-200710-22 : TRAMP: Insecure temporary file creation", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5377"], "modified": "2018-08-10T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:tramp", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200710-22.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=27554", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200710-22.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(27554);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/08/10 18:07:06\");\n\n script_cve_id(\"CVE-2007-5377\");\n script_xref(name:\"GLSA\", value:\"200710-22\");\n\n script_name(english:\"GLSA-200710-22 : TRAMP: Insecure temporary file creation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200710-22\n(TRAMP: Insecure temporary file creation)\n\n Stefan Monnier discovered that the tramp-make-tramp-temp-file()\n function creates temporary files in an insecure manner.\n \nImpact :\n\n A local attacker could create symbolic links in the directory where the\n temporary files are written, pointing to a valid file somewhere on the\n filesystem that is writable by the user running TRAMP. When TRAMP\n writes the temporary file, the target valid file would then be\n overwritten with the contents of the TRAMP temporary file.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200710-22\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All TRAMP users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-emacs/tramp-2.1.10-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(59);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tramp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emacs/tramp\", unaffected:make_list(\"ge 2.1.10-r2\", \"lt 2.1\"), vulnerable:make_list(\"lt 2.1.10-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"TRAMP\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:12", "references": [], "pluginID": "58701", "description": "The remote host is missing updates announced in\nadvisory GLSA 200710-22.", "edition": 2, "reporter": "Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-24T00:00:00", "title": "Gentoo Security Advisory GLSA 200710-22 (tramp)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5377"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=58701", "id": "OPENVAS:58701", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The TRAMP package for GNU Emacs insecurely creates temporary files.\";\ntag_solution = \"All TRAMP users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-emacs/tramp-2.1.10-r2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200710-22\nhttp://bugs.gentoo.org/show_bug.cgi?id=194713\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200710-22.\";\n\n \n\nif(description)\n{\n script_id(58701);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2007-5377\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200710-22 (tramp)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-emacs/tramp\", unaffected: make_list(\"ge 2.1.10-r2\", \"rlt 2.1\"), vulnerable: make_list(\"lt 2.1.10-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
