SuSE YaST Online Update Insecure Temporary File Creation Vulnerability

SuSE YaST Online Update reportedly creates temporary files in an insecure manner.

The source of the problem is that the online_update program will create temporary files using predictable filenames in a world writeable location (/usr/tmp).

Since these file names are static, it may be trivial for an attacker to create a symbolic link in its place. A malicious local user could take advantage of this issue by mounting a symbolic link attack to corrupt other system files, most likely resulting in destruction of data.

The vendor has reported that the problem is present in SUSE Linux 8.2 and 9.0.


Privacy Statement
Copyright 2010, SecurityFocus