{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-12-08T00:00:00", "descriptions": [{"lang": "en", "value": "The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[bug-coreutils] 20091208 Re: build: distcheck: do not leave a $TMPDIR/coreutils directory behind", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.mail-archive.com/bug-coreutils%40gnu.org/msg18779.html"}, {"name": "60853", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/60853"}, {"name": "USN-2473-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2473-1"}, {"name": "[oss-security] 20091208 CVE Request -- coreutils -- unsafe temporary directory location use", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/12/08/4"}, {"name": "37645", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37645"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=ae034822c535fa5"}, {"name": "37256", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/37256"}, {"name": "[oss-security] 20091208 Re: CVE Request -- coreutils -- unsafe temporary directory location use", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=oss-security&m=126030454503441&w=2"}, {"name": "FEDORA-2009-13216", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00954.html"}, {"name": "ADV-2009-3453", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/3453"}, {"name": "FEDORA-2009-13181", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00972.html"}, {"name": "37860", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37860"}, {"name": "gnu-core-distcheck-symlink(54673)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54673"}, {"name": "62226", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/62226"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=545439"}, {"name": "[bug-coreutils] 20091209 [PATCH] doc: NEWS: mention the \"make distcheck\" vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.mail-archive.com/bug-coreutils%40gnu.org/msg18787.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:54:09.982Z"}, "title": "CVE Program Container", "references": [{"name": "[bug-coreutils] 20091208 Re: build: distcheck: do not leave a $TMPDIR/coreutils directory behind", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.mail-archive.com/bug-coreutils%40gnu.org/msg18779.html"}, {"name": "60853", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/60853"}, {"name": "USN-2473-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2473-1"}, {"name": "[oss-security] 20091208 CVE Request -- coreutils -- unsafe temporary directory location use", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/12/08/4"}, {"name": "37645", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/37645"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=ae034822c535fa5"}, {"name": "37256", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/37256"}, {"name": "[oss-security] 20091208 Re: CVE Request -- coreutils -- unsafe temporary directory location use", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://marc.info/?l=oss-security&m=126030454503441&w=2"}, {"name": "FEDORA-2009-13216", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00954.html"}, {"name": "ADV-2009-3453", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/3453"}, {"name": "FEDORA-2009-13181", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00972.html"}, {"name": "37860", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/37860"}, {"name": "gnu-core-distcheck-symlink(54673)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54673"}, {"name": "62226", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/62226"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=545439"}, {"name": "[bug-coreutils] 20091209 [PATCH] doc: NEWS: mention the \"make distcheck\" vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.mail-archive.com/bug-coreutils%40gnu.org/msg18787.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-4135", "datePublished": "2009-12-11T16:00:00", "dateReserved": "2009-12-01T00:00:00", "dateUpdated": "2024-08-07T06:54:09.982Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*", "matchCriteriaId": "5D37DF0F-F863-45AC-853A-3E04F9FEC7CA", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:coreutils:5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B4060C1F-54F4-4D8F-A359-48CC27359585", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.91:*:*:*:*:*:*:*", "matchCriteriaId": "BB7AE17A-1310-4F3B-B649-ED3D14C161BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.92:*:*:*:*:*:*:*", "matchCriteriaId": "066F4A28-3C7E-4524-BB09-50A9C27F0DCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.93:*:*:*:*:*:*:*", "matchCriteriaId": "B334A0E5-92C4-4027-B847-1E535D46759E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.94:*:*:*:*:*:*:*", "matchCriteriaId": "70411321-9C15-4EE5-8C50-C730DC114B69", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.95:*:*:*:*:*:*:*", "matchCriteriaId": "F9CDDE73-12B4-49BD-AA4A-EFDB27DCEE63", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.96:*:*:*:*:*:*:*", "matchCriteriaId": "56235E45-03A0-4665-A892-E022F3CECEFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:5.97:*:*:*:*:*:*:*", "matchCriteriaId": "FAAFD6D4-7CA0-4C5E-ACCE-0FEFE123282A", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "17B19ECD-3B51-495B-890A-A65715E84500", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.3:*:*:*:*:*:*:*", "matchCriteriaId": "9BA15857-9B26-44EC-8111-B4AB5F14CAA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.4:*:*:*:*:*:*:*", "matchCriteriaId": "A9322877-683C-4662-8862-8A19921DDFF6", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.5:*:*:*:*:*:*:*", "matchCriteriaId": "64510D4D-D783-4D91-969A-631864135A4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "047B607D-074F-4154-BDBC-C252A0E332FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.7:*:*:*:*:*:*:*", "matchCriteriaId": "60A5A833-9CDA-459E-B1AF-8813E559DE0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.8:*:*:*:*:*:*:*", "matchCriteriaId": "DE7C16BD-A66A-436D-935D-6FB03EFF477C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.9:*:*:*:*:*:*:*", "matchCriteriaId": "EA7FA6D6-C675-4B21-B29F-D0686C03D373", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.10:*:*:*:*:*:*:*", "matchCriteriaId": "C77C7E77-20AB-4B96-B5F9-51D0B598A9F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.11:*:*:*:*:*:*:*", "matchCriteriaId": "8B96E929-15F1-40EE-9EE0-ABBF0C8EFA76", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:6.12:*:*:*:*:*:*:*", "matchCriteriaId": "FD5C865C-B8B1-4410-8DC8-015FA8CACA97", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "47B9797D-D66B-47AB-8ED9-8EB6A3B7BB3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "05224EEF-A6C6-4B04-AD37-B22AB9048D7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "B417E42B-821D-4C74-BF47-3594C9AE1B98", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "E64DD6D2-3025-4805-A7BD-0A0FDCF906CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "499983D5-E6A2-411B-861C-95653E238FF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "6A4FDCD8-F63F-42A8-9130-3E69B6A5331A", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:coreutils:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "4BCA48A1-617A-4B82-A363-70131EE27150", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*", "matchCriteriaId": "B3BB5EDB-520B-4DEF-B06E-65CA13152824", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:12:*:*:*:*:*:*:*", "matchCriteriaId": "E44669D7-6C1E-4844-B78A-73E253A7CC17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp."}, {"lang": "es", "value": "La regla distcheck en dist-check.mk en GNU coreutils desde v5.2.1 hasta v8.1 permite a usuarios locales ganar privilegios a trav\u00e9s de un ataque de enlace simb\u00f3lico en un fichero que este en la carpeta /tmp."}], "id": "CVE-2009-4135", "lastModified": "2023-02-13T02:20:43.433", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-12-11T16:30:00.327", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=ae034822c535fa5"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://marc.info/?l=oss-security&m=126030454503441&w=2"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/37645"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/37860"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/62226"}, {"source": "secalert@redhat.com", "url": "http://www.mail-archive.com/bug-coreutils%40gnu.org/msg18779.html"}, {"source": "secalert@redhat.com", "url": "http://www.mail-archive.com/bug-coreutils%40gnu.org/msg18787.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2009/12/08/4"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/60853"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/37256"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2473-1"}, {"source": "secalert@redhat.com", "tags": ["Permissions Required"], "url": "http://www.vupen.com/english/advisories/2009/3453"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=545439"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54673"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00954.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00972.html"}], "sourceIdentifier": "secalert@redhat.com", "vendorComments": [{"comment": "This issue does not affect users using coreutils binary RPMs, or rebuilding source RPMs. Therefore, we do not plan to release updates addressing this flaw on Red Hat Enterprise Linux 3, 4 and 5.\n\nFor additional details, refer to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4135", "lastModified": "2010-02-26T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "coreutils: Unsafe temporary directory use in \"distcheck\" rule", "id": "545439", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=545439"}, "csaw": false, "cvss": {"cvss_base_score": "1.2", "cvss_scoring_vector": "AV:L/AC:H/Au:N/C:N/I:P/A:N", "status": "draft"}, "details": ["The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp."], "name": "CVE-2009-4135", "public_date": "2009-12-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2009-4135\nhttps://nvd.nist.gov/vuln/detail/CVE-2009-4135"], "statement": "This issue does not affect users using coreutils binary RPMs, or rebuilding source RPMs. Therefore, we do not plan to release updates addressing this flaw on Red Hat Enterprise Linux 3, 4 and 5.\nFor additional details, refer to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4135", "threat_severity": "Low"}