CVE-2014-4039

Name of the Vulnerable Software and Affected Versions ppc64-diag version 2.6.1 ppc64-diag-debugsource (affected versions not specified) ppc64-diag-debuginfo (affected versions not specified)

Description The issue concerns multiple vulnerabilities in the ppc64-diag package of openSUSE and SUSE Linux Enterprise operating systems. These vulnerabilities can be exploited locally, potentially leading to breaches of confidentiality, integrity, and availability of protected information. Specifically, the vulnerability in ppc64-diag 2.6.1 involves the use of 0775 permissions for /tmp/diagSEsnap and inadequate restriction of permissions for /tmp/diagSEsnap/snapH.tar.gz. This allows local users to access sensitive information by reading files in the archive, such as /var/log/messages and /etc/yaboot.conf.

Recommendations For ppc64-diag version 2.6.1, consider changing the permissions of /tmp/diagSEsnap to restrict access and limit the readability of /tmp/diagSEsnap/snapH.tar.gz to authorized users. For ppc64-diag-debugsource and ppc64-diag-debuginfo, at the moment, there is no information about a newer version that contains a fix for this vulnerability.