Bug 136314

Summary: CAN-2004-0969 temporary file vulnerabilities in groffer script
Product: [Retired] Fedora Legacy Reporter: Mark J. Cox <mjc>
Component: groffAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: fc2CC: aleksey, bressers, deisenst, mattdm, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, 2, NEEDSWORK
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-05 07:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
tmp_create() function fix in groffer script none

Description Mark J. Cox 2004-10-19 10:06:16 UTC 
On September 10th 2004, Trustix shared some temporary file
vulnerabilities with vendor-sec.  After some refinement these were
made public on Sep30.  These are minor issues (impact: LOW) and
therefore should be fixed in future updates, but don't deserve their
own security advisory.

Temporary file vulnerability in groffer.  Patch attached to bug
136313, however the
patch is for groff-1.19 and the groffer script is very different in
the version shipped in RHEL3.  However there looks to be a similar
temporary file vulnerability that could be fixed in a similar way to
the patch.
Comment 1 Jindrich Novy 2005-01-27 13:30:55 UTC 
Created attachment 110290 [details]
tmp_create() function fix in groffer script

Mark, Josh,

I fixed the tmp_create() function that is frequently used within the groffer.
At some places I see constructs like this:

      sh -c '
	set -e;
	_PROCESS_ID="$$";
	_modefile="${_TMP_DIR}/${_PROGRAM_NAME}${_PROCESS_ID}";
	rm -f "${_modefile}";
	mv "${_TMP_CAT}" "${_modefile}";
	rm -f "${_TMP_CAT}";
	cat "${_modefile}" | \
	(
	  clean_up()
	  {
	    rm -f "${_modefile}";
	  }
	  trap clean_up EXIT 2>/dev/null || true;
	  eval "${_groggy}" "${_ADDOPTS_GROFF}";
	) &'
      ;;

Is this also considered as an security issue? I think file name
generation based on PID isn't too good, but in this case it's rather safe,
right? If so, the attached patch is sufficient to fix this.
Comment 2 Josh Bressers 2005-01-27 16:18:40 UTC 
This is still not going to be an appropriate fix.  It's better than it was, but
there is still a potential race condition.  Ideally /bin/mktemp should be used,
with an approprate umask set before the temp file is created to prevent an
information leak.
Comment 3 Matthew Miller 2005-04-11 22:18:54 UTC 
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Comment 4 Marc Deslauriers 2005-04-20 23:09:29 UTC 
See also bug 136313 and bug 152840.
Comment 5 Aleksey Nogin 2005-06-09 01:17:56 UTC 
See also Bug 90631 ("1.19.1 is latest release")
Comment 6 David Eisenstein 2005-09-05 07:19:00 UTC 
Why don't we (Fedora Legacy) combine this bug with 152840 so we can have all
things groffer in one place?
Comment 7 Pekka Savola 2005-09-05 07:52:53 UTC 
Sure, why not... merging these two..

*** This bug has been marked as a duplicate of 152840 ***