Bug 1077023 (CVE-2014-2524)

Summary: CVE-2014-2524 readline: insecure temporary file use in _rl_tropen()
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: c.david86, erik-fedora, fedora-mingw, jchaloup, jgalipea, jkurik, jrusnack, ktietz, lfarkas, lnykryn, mlichvar, pfrields, rjones, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-21 13:43:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1077026, 1077027, 1077035    
Bug Blocks: 1077036    

Description Murray McAllister 2014-03-17 03:06:51 UTC 
Steve Kemp discovered the _rl_tropen() function in readline, a set of libraries to handle command lines, insecurely handled a temporary file. This could allow a local attacker to perform symbolic link attacks. As noted in the CVE request, _rl_tropen() is typically only called during debugging.

CVE request: http://seclists.org/oss-sec/2014/q1/579
Comment 2 Murray McAllister 2014-03-17 03:08:47 UTC 
Created readline tracking bugs for this issue:

Affects: fedora-all [bug 1077026]
Comment 4 Murray McAllister 2014-03-17 03:47:38 UTC 
Created mingw-readline tracking bugs for this issue:

Affects: fedora-all [bug 1077035]
Comment 5 Martin Prpič 2014-03-17 19:35:43 UTC 
MITRE assigned CVE-2014-2524 to this issue:

http://seclists.org/oss-sec/2014/q1/588
Comment 7 Tomas Hoger 2014-05-26 13:38:34 UTC 
Fixed upstream in 6.3 patch 3 by making the code only get compiled in when building with -DDEBUG.

http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html
http://git.savannah.gnu.org/cgit/readline.git/commit/?id=8408f86
ftp://ftp.cwru.edu/pub/bash/readline-6.3-patches/readline63-003
Comment 8 Vincent Danen 2014-09-16 17:05:26 UTC 
Statement:

This issue is only exposed via readline's debugging/tracing code and is not used by readline or any other application in Red Hat Enterprise Linux.  The tracing functions are defined in a private header file and are only meant for the readline library's internal use.  In general use, there is no exposure of this insecure temporary file issue, and while this does affect the versions of readline as shipped with Red Hat Enterprise Linux 5, 6 and 7 it is not currently planned to be addressed in future updates.

Red Hat Product Security has rated this issue as having Low security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.