VULHUB ™

squid is a freely available Web Proxy software package, written and maintained by the National Science Foundation. Problems with the software could lead to a race condition. The problem occurs in the operation of the software and it's creation of /tmp files. The squid package can be configured to send out emails to the administrator when updates occur. However, when the email is created, files in the /tmp directory are created insecurely and the pre-existance of files is not queried. The creation of the files in the /tmp directory normally occur under the conditions of either using a development version of squid, or when the system clock is reporting an incorrect time. Therefore, it is possible for a user with malicious motives to guess the handle of a future /tmp file, and create a symbolic link to a file writable by the UID of the squid process, thus overwriting a file owned by the squid user, or appending to and corrupting the file.

squid is a freely available Web Proxy software package, written and maintained by the National Science Foundation. Problems with the software could lead to a race condition. The problem occurs in the operation of the software and it's creation of /tmp files. The squid package can be configured to send out emails to the administrator when updates occur. However, when the email is created, files in the /tmp directory are created insecurely and the pre-existance of files is not queried. The creation of the files in the /tmp directory normally occur under the conditions of either using a development version of squid, or when the system clock is reporting an incorrect time. Therefore, it is possible for a user with malicious motives to guess the handle of a future /tmp file, and create a symbolic link to a file writable by the UID of the squid process, thus overwriting a file owned by the squid user, or appending to and corrupting the file.