Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1920

Overview

Vulnerability Score 3.3 3.3
CVE Id CVE-2011-1920
Last Modified 24 May 2011 12:00:00
Published 23 May 2011 06:55:01
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector LOCAL
Access Complexity MEDIUM
Authentication NONE

CVE-2011-1920

Summary

The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and other products, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to (1) bsd.lib.mk and (2) bsd.prog.mk.

Vulnerable Systems

Operating System

  • Netbsd

  • Netbsd 1.0

  • Netbsd 1.1

  • Netbsd 1.2

  • Netbsd 1.2.1

  • Netbsd 1.3

  • Netbsd 1.3.1

  • Netbsd 1.3.2

  • Netbsd 1.3.3

  • Netbsd 1.4

  • Netbsd 1.4.1

  • Netbsd 1.4.2

  • Netbsd 1.4.3

  • Netbsd 1.5

  • Netbsd 1.5.1

  • Netbsd 1.5.2

  • Netbsd 1.5.3

  • Netbsd 1.6

  • Netbsd 1.6.1

Application

  • Ihji Pmake 1.111


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=705100

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=705090

MLIST - [oss-security] 20110516 Re: CVE Request -- pmake -- Use of insecure temporary file for 'depend' target

MLIST - [oss-security] 20110516 CVE Request -- pmake -- Use of insecure temporary file for 'depend' target

CONFIRM - http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk.diff?r1=1.192&r2=1.193&f=h

CONFIRM - http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk.diff?r1=1.239&r2=1.240&f=h

CONFIRM - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673

XF - pmake-depend-symlink(67495)

BID - 47878


Last Updated: 27 May 2016 10:56:52