ace 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1208651 漏洞类型 安全特征问题
发布时间 2019-11-22 更新时间 2019-12-27
CVE编号 CVE-2014-6311 CNNVD-ID CNNVD-201911-1310
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201911-1310
|漏洞详情
ace 6.2.7+dfsg-2之前版本中存在安全漏洞,该漏洞源于generate_doygen.pl文件在/tmp目录下创建的文件名很容易被猜测到。攻击者可利用该漏洞获取提升的权限。
|漏洞EXP
Upstream: http://www.dre.vanderbilt.edu/~schmidt/ACE.html

In bin/generate_doxygen.pl line 177 it says:
my $output = "/tmp/".$i.".".$$.".doxygen";

This path is later opened for writing. For context, see:
http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177

Initial disclosure: http://bugs.debian.org/760709

(end of CVE request)

A quick "grep -r /tmp $ace_source" indicates more occasions that may be
worth researching. Most of the results reside within examples or
documentation though.

An interesting find is bin/g++-dep line 63:
TMP=/tmp/g++dep$$
This path is also used for writing. The context can be found at:
http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/g%2B%2Bdep/#L63
I am not sure whether instance is actually executed during the build,
but the Debian package installs it to the development package available
for user consumption.

Thanks

Helmut
|参考资料

来源:MISC

链接:http://www.openwall.com/lists/oss-security/2014/09/11/5


来源:bugs.debian.org

链接:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760709


来源:MISC

链接:http://www.openwall.com/lists/oss-security/2014/09/12/6


来源:MISC

链接:https://security-tracker.debian.org/tracker/CVE-2014-6311


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2014-6311