Tmpwatch Recursive Write DoS Vulnerability
Any user with write access to /tmp or /var/tmp, can induce tmpwatch to cause Red Hat (and others runnng tmpwatch from cron) to stop responding, and possibly require a hard reboot. This is accomplished by creating a directory tree many (ie. ~6000) nodes deep in /tmp. For each level of the directory in /tmp, tmpwatch will fork() a new copy of itself.
Red Hat affected versions:
Red Hat Linux 7.0 (tmpwatch v.2.5.1)
Red Hat Linux 6.2 (tmpwatch v.2.2)
(excerpted from Internet Security Systems Security Advisory)
"Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages
suggests this vulnerability was recognized and a fix was attempted. However,
the fix is incorrect, and the vulnerability is still exploitable.
Do not use the --fuser or -s options with tmpwatch."