Bug 136314
Summary: | CAN-2004-0969 temporary file vulnerabilities in groffer script | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Mark J. Cox <mjc> | ||||
Component: | groff | Assignee: | Fedora Legacy Bugs <bugs> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | fc2 | CC: | aleksey, bressers, deisenst, mattdm, pekkas | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | LEGACY, 2, NEEDSWORK | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-09-05 07:52:53 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mark J. Cox
2004-10-19 10:06:16 UTC
Created attachment 110290 [details]
tmp_create() function fix in groffer script
Mark, Josh,
I fixed the tmp_create() function that is frequently used within the groffer.
At some places I see constructs like this:
sh -c '
set -e;
_PROCESS_ID="$$";
_modefile="${_TMP_DIR}/${_PROGRAM_NAME}${_PROCESS_ID}";
rm -f "${_modefile}";
mv "${_TMP_CAT}" "${_modefile}";
rm -f "${_TMP_CAT}";
cat "${_modefile}" | \
(
clean_up()
{
rm -f "${_modefile}";
}
trap clean_up EXIT 2>/dev/null || true;
eval "${_groggy}" "${_ADDOPTS_GROFF}";
) &'
;;
Is this also considered as an security issue? I think file name
generation based on PID isn't too good, but in this case it's rather safe,
right? If so, the attached patch is sufficient to fix this.
This is still not going to be an appropriate fix. It's better than it was, but there is still a potential race condition. Ideally /bin/mktemp should be used, with an approprate umask set before the temp file is created to prevent an information leak. [Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.] See also bug 136313 and bug 152840. Why don't we (Fedora Legacy) combine this bug with 152840 so we can have all things groffer in one place? |