Security Information / 2000 / Security Information -- make

Debian Security Advisory

make -- symlink attack in make

Date Reported:

14 Feb 2000

Affected Packages:

make

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

The make package as shipped in Debian GNU/Linux 2.1 is vulnerable to a race condition that can be exploited with a symlink attack. make used mktemp while creating temporary files in /tmp -- a known potential security hole, as documented in the man page of mktemp. This has been fixed in version 3.77-5slink. We recommend you upgrade your make package immediately.

Fixed in:

Source:

http://security.debian.org/dists/slink/updates/source/make_3.77.orig.tar.gz

http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz

http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.dsc

alpha:

http://security.debian.org/dists/slink/updates/binary-alpha/make_3.77-5slink_alpha.deb

i386:

http://security.debian.org/dists/slink/updates/binary-i386/make_3.77-5slink_i386.deb

m68k:

http://security.debian.org/dists/slink/updates/binary-m68k/make_3.77-5slink_m68k.deb

sparc:

http://security.debian.org/dists/slink/updates/binary-sparc/make_3.77-5slink_sparc.deb