Bugzilla – Bug 943012
VUL-1: CVE-2015-5224: CVE-2015-5224 util-linux: file name collision due to incorrect mkstemp use
Last modified: 2015-08-25 16:34:31 UTC
CVE-2015-5224 quoting from the git commit message: The utils when compiled WITHOUT libuser then mkostemp()ing "/etc/%s.XXXXXX" where the filename prefix is argv[0] basename. An attacker could repeatedly execute the util with modified argv[0] and after many many attempts mkostemp() may generate suffix which makes sense. The result maybe temporary file with name like rc.status ld.so.preload or krb5.keytab, etc. Note that distros usually use libuser based ch{sh,fn} or stuff from shadow-utils. It's probably very minor security bug. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5224 http://seclists.org/oss-sec/2015/q3/423 http://seclists.org/oss-sec/2015/q3/349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224 https://github.com/karelzak/util-linux/commit/bde91c85bdc77975155058276f99d2e0f5eab5a9
util-linux in SUSE does not use libuser. However it could be a good idea to use it. So SUSE is affected. Should I prepare an online update? (There are several pending non-security bugs, which would be nice to release in SLES.)
I just reviewed the list of affected utilities: chfn, chsh, vipw. All three these utilities are provided by shadow package. => SUSE is not affected at all.