Overview
The 'makewhatis' script in the Linux man package allows local users to overwrite files via a symlink attack.
Description
The 'makewhatis' program is a Bourne shell script that ships with many Linux distributions in the 'man' package of programs. The 'makewhatis' script creates files in the /tmp directory with predictable names. By using various symlink attacks, it is possible for local users to exploit this predictability to create or modify arbitrary files and gain elevated privilege. In addition, the 'makewhatis' script is run daily to rebuild the database used by the 'whatis' command. Local users may be able to read any system file by forcing a copy of it into the 'whatis' database. The man package version 1.5e and higher is vulnerable to this flaw. |
Impact
Many distributions of Linux contain the 'man' package. The vulnerability in 'makewhatis' can be exploited by local users to corrupt privileged (root) files on the system or to gain elevated privileges. |
Solution
Versions of Linux in affected distributions should be upgraded. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0566
- http://www.securityfocus.com/bid/1434
- http://www.redhat.com/support/errata/RHSA-2000-041-02.html
- http://www.caldera.com/support/security/advisories/CSSA-2000-021.0.txt
- http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-015.php3?dis=6.0
Acknowledgements
Thanks to Red Hat for the information contained in their security advisory.
This document was written by Andrew P. Moore.
Other Information
| CVE IDs: | CVE-2000-0566 |
| Severity Metric: | 3.04 |
| Date Public: | 2000-07-03 |
| Date First Published: | 2001-06-18 |
| Date Last Updated: | 2001-06-18 17:24 UTC |
| Document Revision: | 6 |