Rapid7 Vulnerability & Exploit Database

RHSA-2002:065: Updated sharutils package fixes uudecode issue

Back to Search

RHSA-2002:065: Updated sharutils package fixes uudecode issue

Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
05/29/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated packages for sharutils are available which fix potential privilege escalation using the uudecode utility.

The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. The uudecode utility would create an output file without checking to see if it was about to write to a symlink or a pipe. If a user uses uudecode to extract data into open shared directories, such as /tmp, this vulnerability could be used by a local attacker to overwrite files or lead to privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0178 to this issue. Users should update to these errata sharutils packages which contain a version of uudecode that has been patched to check for an existing pipe or symlink output file.

Solution(s)

  • redhat-upgrade-sharutils

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;