ID CVE-2004-0968
Summary The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.
References
Vulnerable Configurations
  • GNU glibc 2.0
    cpe:2.3:a:gnu:glibc:2.0
  • GNU glibc 2.0.1
    cpe:2.3:a:gnu:glibc:2.0.1
  • GNU glibc 2.0.2
    cpe:2.3:a:gnu:glibc:2.0.2
  • GNU glibc 2.0.3
    cpe:2.3:a:gnu:glibc:2.0.3
  • GNU glibc 2.0.4
    cpe:2.3:a:gnu:glibc:2.0.4
  • GNU glibc 2.0.5
    cpe:2.3:a:gnu:glibc:2.0.5
  • GNU glibc 2.0.6
    cpe:2.3:a:gnu:glibc:2.0.6
  • GNU glibc 2.1
    cpe:2.3:a:gnu:glibc:2.1
  • GNU glibc 2.1.1
    cpe:2.3:a:gnu:glibc:2.1.1
  • GNU glibc 2.1.1.6
    cpe:2.3:a:gnu:glibc:2.1.1.6
  • GNU glibc 2.1.2
    cpe:2.3:a:gnu:glibc:2.1.2
  • GNU glibc 2.1.3
    cpe:2.3:a:gnu:glibc:2.1.3
  • GNU glibc 2.1.3.10
    cpe:2.3:a:gnu:glibc:2.1.3.10
  • GNU glibc 2.1.9
    cpe:2.3:a:gnu:glibc:2.1.9
  • GNU glibc 2.2
    cpe:2.3:a:gnu:glibc:2.2
  • GNU glibc 2.2.1
    cpe:2.3:a:gnu:glibc:2.2.1
  • GNU glibc 2.2.2
    cpe:2.3:a:gnu:glibc:2.2.2
  • GNU glibc 2.2.3
    cpe:2.3:a:gnu:glibc:2.2.3
  • GNU glibc 2.2.4
    cpe:2.3:a:gnu:glibc:2.2.4
  • GNU glibc 2.2.5
    cpe:2.3:a:gnu:glibc:2.2.5
  • GNU glibc 2.3
    cpe:2.3:a:gnu:glibc:2.3
  • GNU glibc 2.3.1
    cpe:2.3:a:gnu:glibc:2.3.1
  • GNU glibc 2.3.2
    cpe:2.3:a:gnu:glibc:2.3.2
  • GNU glibc 2.3.3
    cpe:2.3:a:gnu:glibc:2.3.3
  • GNU glibc 2.3.4
    cpe:2.3:a:gnu:glibc:2.3.4
  • GNU glibc 2.3.10
    cpe:2.3:a:gnu:glibc:2.3.10
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation_server
  • Red Hat Desktop 3.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:3.0
CVSS
Base: 2.1 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200410-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-200410-19 (glibc: Insecure tempfile handling in catchsegv script) The catchsegv script creates temporary files in world-writeable directories with predictable names. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When catchsegv script is called, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 15538
    published 2004-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15538
    title GLSA-200410-19 : glibc: Insecure tempfile handling in catchsegv script
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-261.NASL
    description Updated glibc packages that address several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. Flaws in the catchsegv and glibcbug scripts were discovered. A local user could utilize these flaws to overwrite files via a symlink attack on temporary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0968 and CVE-2004-1382 to these issues. It was discovered that the use of LD_DEBUG and LD_SHOW_AUXV were not restricted for a setuid program. A local user could utilize this flaw to gain information, such as the list of symbols used by the program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1453 to this issue. This erratum also addresses the following bugs in the GNU C Library: - Now avoids calling sigaction (SIGPIPE, ...) in syslog implementation - Fixed poll on Itanium - Now allows setenv/putenv in shared library constructors Users of glibc are advised to upgrade to these erratum packages that remove the unnecessary glibcbug script and contain backported patches to correct these other issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18160
    published 2005-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18160
    title RHEL 2.1 : glibc (RHSA-2005:261)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-636.NASL
    description Several insecure uses of temporary files have been discovered in support scripts in the libc6 package which provides the c library for a GNU/Linux system. Trustix developers found that the catchsegv script uses temporary files insecurely. Openwall developers discovered insecure temporary files in the glibcbug script. These scripts are vulnerable to a symlink attack.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 16150
    published 2005-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16150
    title Debian DSA-636-1 : glibc - insecure temporary files
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-586.NASL
    description Updated glibc packages that address several bugs and implement some enhancements are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. This errata fixes several bugs in the GNU C Library. Fixes include (in addition to enclosed Bugzilla entries) : - fixed 32-bit atomic operations on 64-bit powerpc - fixed -m32 -I /usr/include/nptl compilation on AMD64 - NPTL should now be usable in C++ code or -pedantic -std=c89 C - rwlocks are now available also in the _POSIX_C_SOURCE=200112L namespace - pthread_once is no longer throw(), as the callback routine might throw - pthread_create now correctly returns EAGAIN when thread couldn't be created because of lack of memory - fixed NPTL stack freeing in case of pthread_create failure with detached thread - fixed pthread_mutex_timedlock on i386 and AMD64 - Itanium gp saving fix in linuxthreads - fixed s390/s390x unwinding tests done during cancellation if stack frames are small - fixed fnmatch(3) backslash handling - fixed out of memory behaviour of syslog(3) - resolver ID randomization - fixed fim (NaN, NaN) - glob(3) fixes for dangling symlinks - catchsegv fixed to work with both 32-bit and 64-bit binaries on x86-64, s390x and ppc - fixed reinitialization of _res when using NPTL stack cache - updated bug reporting instructions, removed glibcbug script - fixed infinite loop in iconv with some options - fixed inet_aton return value - CPU friendlier busy waiting in linuxthreads on EM64T and IA-64 - avoid blocking/masking debug signal in linuxthreads - fixed locale program output when neither LC_ALL nor LANG is set - fixed using of uninitialized memory in localedef - fixed mntent_r escape processing - optimized mtrace script - linuxthread_db fixes on ppc64 - cfi instructions in x86-64 linuxthreads vfork - some _POSIX_C_SOURCE=200112L namespace fixes All users of glibc should upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 16018
    published 2004-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16018
    title RHEL 3 : glibc (RHSA-2004:586)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-4-1.NASL
    description Recently, Trustix Secure Linux discovered some vulnerabilities in the libc6 package. The utilities 'catchsegv' and 'glibcbug' created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20656
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20656
    title Ubuntu 4.10 : Standard C library script vulnerabilities (USN-4-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-159.NASL
    description The Trustix developers discovered that the catchsegv and glibcbug utilities, part of the glibc package, created temporary files in an insecure manner. This could allow for a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16076
    published 2005-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16076
    title Mandrake Linux Security Advisory : glibc (MDKSA-2004:159)
oval via4
accepted 2013-04-29T04:19:59.134-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.
family unix
id oval:org.mitre.oval:def:9523
status accepted
submitted 2010-07-09T03:56:16-04:00
title The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2004:586
  • rhsa
    id RHSA-2005:261
refmap via4
bid 11286
confirm http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318
debian DSA-636
gentoo GLSA-200410-19
trustix 2004-0050
ubuntu USN-4-1
xf script-temporary-file-overwrite(17583)
Last major update 07-12-2016 - 21:59
Published 09-02-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top