CVE-2014-4038

ppc64-diag 2.6.1 allows local users to overwrite arbitrary files via a symlink attack related to (1) rtas_errd/diag_support.c and /tmp/get_dt_files, (2) scripts/ppc64_diag_mkrsrc and /tmp/diagSEsnap/snapH.tar.gz, or (3) lpd/test/lpd_ela_test.sh and /var/tmp/ras.

From the Ubuntu Security Team

sbeattie> for (1) rtas_errd/diag_support.c fully fixed in 2.7.0, trusty does not have the second commit below, which should cause the mkstemp() call to fail; so is still not vulnerable. sbeattie> for (2) snap binary is not shipped in powerpc-utils on yakkety and newer, so scripts/ppc64_diag_mkrsrc won’t write anything out. It does not exist in trusty and earlier releases’ powerpc-utils, either. For xenial, the snap script will abort as it’s not supported on Ubuntu. So no possibility of writing the tar file out in any release; therefore not affected for this part. sbeattie> (3) is unfixed upstream. but is only in a test script that is not included in the package, so is not affected. Yakkety has patches applied by debian for this.

• How can I get the fixes?
• What do statuses mean?
• Patch details

References

• MITRE
• NVD
• Launchpad
• Debian

Other references

• https://bugzilla.redhat.com/show_bug.cgi?id=1109371
• https://bugzilla.novell.com/show_bug.cgi?id=882667
• http://openwall.com/lists/oss-security/2014/06/17/1
• https://www.cve.org/CVERecord?id=CVE-2014-4038