Overview
Alladin Ghostscript, a previewer for postscript files, creates temporary files with a predictable names. The creation allows attackers to use symbolic links to overwrite other files on the host.
Description
Alladin Ghostscript is a previewer for postscript files. It creates temporary files using the mktemp() call, which creates files with predictable names based on the process number for the process running Ghostscript. The prior existence and ownership of the temporary file is not checked by the mktemp() call. |
Impact
By creating a symbolic link with the appropriate name, an attacker may overwrite any file writable by the user running Ghostscript. This is particularly dangerous for the root account, which could lead to overwriting of system files, including the password file, and raising of the attacker's access privileges. |
Solution
Apply vendor patches; see the Systems Affected section below. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.securityfocus.com/bid/1990
- http://www.linuxsecurity.com/advisories/redhat_advisory-909.html
- http://www.caldera.com/support/security/advisories/CSSA-2000-041.0.txt
- http://www.linuxsecurity.com/advisories/mandrake_advisory-914.html
- http://www.debian.org/security/2000/20001123
- http://www.linuxsecurity.com/advisories/other_advisory-919.html
- http://www.linuxsecurity.com/advisories/other_advisory-957.html
- http://www.linuxsecurity.com/advisories/suse_advisory-879.html
Acknowledgements
Dr. Werner Fink of SuSE first reported this vulnerability.
This document was last modified by Tim Shimeall.
Other Information
| CVE IDs: | CVE-2000-1162 |
| Severity Metric: | 4.05 |
| Date Public: | 2000-11-22 |
| Date First Published: | 2001-08-21 |
| Date Last Updated: | 2001-08-21 13:59 UTC |
| Document Revision: | 11 |