CVE-2019-18932

NameCVE-2019-18932
Descriptionlog.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs951390

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sarg (PTS)jessie2.3.6-1vulnerable
stretch2.3.10-2vulnerable
bookworm2.4.0-3fixed
sid, trixie2.4.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sargsourcewheezy(unfixed)end-of-life
sargsource(unstable)2.4.0-1unimportant951390

Notes

https://www.openwall.com/lists/oss-security/2020/01/20/6
The sarg-reports as shipped in Debian has already safe use of mktemp for
use of temporary files and directories.
Fixed by: https://sourceforge.net/p/sarg/code/ci/8ec6d20be8c0da3c885aba78e63251f2e5080748
Neutralised by kernel hardening
Search for package or bug name: Reporting problems