Vulnerability Details : CVE-2012-3500
scripts/annotate-output.sh in devscripts before 2.12.2, as used in rpmdevtools before 8.3, allows local users to modify arbitrary files via a symlink attack on the temporary (1) standard output or (2) standard error output file.
Products affected by CVE-2012-3500
- cpe:2.3:a:devscripts_devel_team:devscripts:*:*:*:*:*:*:*:*When used together with: Fedora » Rpmdevtools
- cpe:2.3:a:devscripts_devel_team:devscripts:2.12.0:*:*:*:*:*:*:*When used together with: Fedora » Rpmdevtools
Exploit prediction scoring system (EPSS) score for CVE-2012-3500
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3500
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
1.2
|
LOW | AV:L/AC:H/Au:N/C:N/I:P/A:N |
1.9
|
2.9
|
NIST |
CWE ids for CVE-2012-3500
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3500
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/087335.html
[SECURITY] Fedora 18 Update: rpmdevtools-8.3-1.fc18
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:123
mandriva.com
-
http://www.debian.org/security/2012/dsa-2549
Debian -- Security Information -- DSA-2549-1 devscriptsVendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2012-11/msg00000.html
openSUSE-SU-2012:1437-1: moderate: deb, update-alternatives
-
https://bugzilla.redhat.com/show_bug.cgi?id=848022
848022 – (CVE-2012-3500) CVE-2012-3500 rpmdevtools: TOCTOU race condition in annotate-output
-
http://secunia.com/advisories/50600
Sign inVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086138.html
[SECURITY] Fedora 17 Update: rpmdevtools-8.3-1.fc17
-
http://www.openwall.com/lists/oss-security/2012/08/31/7
oss-security - [Notification] CVE-2012-3500 - rpmdevtools, devscripts: TOCTOU race condition in annotate-output
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/78230
Fedora Project rpmdevtools and Debian devscripts TOCTOU symlink CVE-2012-3500 Vulnerability Report
-
http://www.securityfocus.com/bid/55358
Multiple Products CVE-2012-3500 Temporary File Handling Security Vulnerability
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0316
Support/Advisories/MGASA-2012-0316 - Mageia wiki
-
http://www.ubuntu.com/usn/USN-1593-1
USN-1593-1: devscripts vulnerabilities | Ubuntu security notices
-
http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git%3Ba=commit%3Bh=4d23a5e6c90f7a37b0972b30f5d31dce97a93eb0
404 Not Found
-
http://git.fedorahosted.org/cgit/rpmdevtools.git/commit/?id=90b4400c2ab2e80cecfd8dfdf031536376ed2cdb
Infrastructure/Fedorahosted-retirement - Fedora Project WikiPatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086159.html
[SECURITY] Fedora 16 Update: rpmdevtools-8.3-1.fc16
Jump to