Debian Security Advisory

make -- symlink attack in make

Date Reported:

14 Feb 2000

Affected Packages:

make

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

The make package as shipped in Debian GNU/Linux 2.1 is vulnerable to a race condition that can be exploited with a symlink attack. make used mktemp while creating temporary files in /tmp -- a known potential security hole, as documented in the man page of mktemp. This has been fixed in version 3.77-5slink. We recommend you upgrade your make package immediately.

Fixed in:

Source:: http://security.debian.org/dists/slink/updates/source/make_3.77.orig.tar.gz; http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.diff.gz; http://security.debian.org/dists/slink/updates/source/make_3.77-5slink.dsc
alpha:: http://security.debian.org/dists/slink/updates/binary-alpha/make_3.77-5slink_alpha.deb
i386:: http://security.debian.org/dists/slink/updates/binary-i386/make_3.77-5slink_i386.deb
m68k:: http://security.debian.org/dists/slink/updates/binary-m68k/make_3.77-5slink_m68k.deb
sparc:: http://security.debian.org/dists/slink/updates/binary-sparc/make_3.77-5slink_sparc.deb