SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CVE

CVE-2008-5007

create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 6.9
Exploit Score: 3.4
Impact Score: 10.0

CVSS V2 Metrics:
Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: COMPLETE
Integrity: COMPLETE
Availability: COMPLETE

Reference:

BID-30917

http://www.openwall.com/lists/oss-security/2008/10/30/2

http://bugs.debian.org/496377

http://code.google.com/p/bollin/source/browse/lazarus/trunk/debian/patches/07_sh_using_tmp.dpatch?spec=svn3462&r=3462

http://dev.gentoo.org/~rbu/security/debiantemp/lazarus-src

http://uvw.ru/report.lenny.txt

https://bugs.gentoo.org/show_bug.cgi?id=235770

https://bugs.gentoo.org/show_bug.cgi?id=235828

lazarussrc-createlazarusexporttgz-symlink(44824)


30389



423868



247085



909



194218



282