CVE-2018-19638

CVE-2018-19638 affects supportutils prior to 3.1-5.7.1: an unprivileged user could overwrite arbitrary files in the log-collection directory when pacemaker is installed. OpenSUSE/SUSE advisories (openSUSE-2019-1351) fix this by upgrading supportutils to 3.1.17-2.2 (and related updates for hostinf...

CVE-2018-19637

CVE-2018-19637 affects supportutils prior to 3.1-5.7.1, where a static temporary file in /tmp/supp_log could be overwritten by local attackers due to insufficient symlink protection. Connected advisories confirm this issue is among a set of fixes in openSUSE/SUSE security updates (e.g., openSUSE-...

CVE-2018-19640

CVE-2018-19640 affects the OpenSUSE/openSUSE/SUSE openSUSE hostinfo and supportutils up to versions before 3.1-5.7.1. The issue allows an attacker who can create files in the log-collection directory to kill arbitrary processes on the local machine. Root cause cited: manipulation of the log direc...

CVE-2018-19639

CVE-2018-19639 affects supportutils before 3.1-5.7.1; when run with -v to verify RPMs, an attacker who can manipulate the RPM listing could execute arbitrary commands as root. OpenSUSE/SUSE advisories (openSUSE-2019-1351, SUSE-SU-2019:13976-1) state this vulnerability is fixed in the respective s...

CVE-2018-19636

CVE-2018-19636 affects the openSUSE/SUSE supportutils package (and related hostinfo updates) prior to version 3.1-5.7.1. The vulnerability is a local root exploit via inclusion of an attacker-controlled shell script, executed with root privileges when supportutils is run (specifically under the d...