CVE-2008-4953

Name	CVE-2008-4953
Description	firehol in firehol 1.256 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/.firehol-tmp-#####-- and (2) /tmp/firehol.conf temporary files. NOTE: the vendor disputes this vulnerability, stating that an attack "would require an attacker to create 1073741824*PID-RANGE symlinks.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	496424

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firehol (PTS)	jessie	1.297-1	vulnerable
	stretch	3.1.1+ds-1	vulnerable
	buster	3.1.6+ds-8	vulnerable
	bullseye	3.1.7+ds-2	vulnerable
	bookworm	3.1.7+ds-2.1	vulnerable
	sid, trixie	3.1.7+ds-5	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
firehol	source	(unstable)	(unfixed)	unimportant		496424

attack unfeasible because of $$-${RANDOM}-${RANDOM}