ID CVE-2003-0924
Summary netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.
References
Vulnerable Configurations
  • cpe:2.3:a:netpbm:netpbm:9.25
    cpe:2.3:a:netpbm:netpbm:9.25
CVSS
Base: 3.7 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200410-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200410-02 (Netpbm: Multiple temporary file issues) Utilities contained in the Netpbm package prior to the 9.25 version contain defects in temporary file handling. They create temporary files with predictable names without checking first that the target file doesn't already exist. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When a user or a tool calls one of the affected utilities, this would result in file overwriting with the rights of the user running the utility. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 15418
    published 2004-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15418
    title GLSA-200410-02 : Netpbm: Multiple temporary file issues
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-031.NASL
    description Updated NetPBM packages are available that fix a number of temporary file vulnerabilities in the netpbm libraries. The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. A number of temporary file bugs have been found in versions of NetPBM. These could make it possible for a local user to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0924 to this issue. Users are advised to upgrade to the erratum packages, which contain patches from Debian that correct these bugs.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12454
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12454
    title RHEL 2.1 / 3 : netpbm (RHSA-2004:031)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-011.NASL
    description A number of temporary file bugs have been found in versions of NetPBM. These could allow a local user the ability to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. Update : The patch applied made some calls to the mktemp utility with an incorrect parameter which prevented mktemp from creating temporary files in some scripts.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14111
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14111
    title Mandrake Linux Security Advisory : netpbm (MDKSA-2004:011-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-426.NASL
    description netpbm is a graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15263
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15263
    title Debian DSA-426-1 : netpbm-free - insecure temporary files
oval via4
  • accepted 2007-04-25T19:52:42.229-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.
    family unix
    id oval:org.mitre.oval:def:804
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat netpbm File Overwrite Vulnerability
    version 34
  • accepted 2007-04-25T19:52:49.762-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.
    family unix
    id oval:org.mitre.oval:def:810
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat Enterprise 3 netpbm File Overwrite Vulnerability
    version 34
redhat via4
advisories
  • rhsa
    id RHSA-2004:030
  • rhsa
    id RHSA-2004:031
refmap via4
bid 9442
cert-vn VU#487102
debian DSA-426
gentoo GLSA-200410-02
mandrake MDKSA-2004:011
sgi 20040201-01-U
xf netpbm-temp-insecure-file(14874)
Last major update 05-09-2008 - 16:35
Published 17-02-2004 - 00:00
Last modified 09-10-2017 - 21:30
Back to Top