Linuxconf as shipped with RedHat 5.1 contains a /tmp bug.
a36bcb5b3486549b9a761587b4999e2bfa04fe86b2343fdb6ca1639fa2a50672
Date: Sat, 22 Aug 1998 20:35:42 -0500
From: Alex Mottram <alex@NET-CONNECT.NET>
Subject: Security concerns in linuxconf shipped w/RedHat 5.1
There exists a security / DOS problem with linuxconf-1.11.r11-rh3/i386 as
upgraded from RedHat's FTP site. No other versions have been tested by me.
Both the maintainer of linuxconf and RedHat Software were made aware of this
problem.
[root@machine SRPMS]# rpm -q linuxconf
linuxconf-1.11r11-rh3
The details of the problem are neither new nor exciting so a very brief
description follows:
linuxconf creates at least one file in /tmp during/at execution, and
will blindly follow a symlink from that file. As linuxconf is an admin
tool, and can/should only be run as root, the possibilities of system
smashing are multiple.
A version of linuxconf that does not have this problem is available at:
ftp://ftp.solucorp.qc.ca/pub/linuxconf/devel/redhat-5.1/linuxconf-1.11r19-1.i386.rpm
Thanks to Jacques Gelinas (linuxconf maintainer) for releasing a fixed
version quickly.