Bug 152462

Summary: CAN-2005-0866 cdrecord insecure temporary file
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: cdrtoolsAssignee: Harald Hoyer <harald>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=cve,impact=low,public=20050120,reported=20050326
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-09 16:04:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch for this issue none

Description Josh Bressers 2005-03-29 18:50:35 UTC 
Stolen from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291376

Cdrtools has some code (and default configuration) that suggests users that 
want to debug its behaviour to open up a can of worms associate to insecure 
temporary files usage. The Debug file defined in the configuration will 
just be fopened() without any checks and is thus vulnerable to symlink 
attacks.

The attached patch tries to fix this minor bug (not many users will really 
enabled DEBUG) by introducing a check in rscsi.c to avoid being vulnerable 
to symlink attacks and by modifying the provided config file telling users 
to use safe locations for debug files. The patch introduces a DoS condition 
(if somebody has created the file the program will exit) and that's why 
users are suggested (in the comments of the configuration file) to use a 
safe location (not /tmp) for debugging.
Comment 1 Josh Bressers 2005-03-29 18:50:35 UTC 
Created attachment 112423 [details]
Proposed patch for this issue
Comment 2 Josh Bressers 2005-03-29 18:51:14 UTC 
This issue should also affect RHEL2.1 and RHEL3
Comment 3 Josh Bressers 2005-06-02 18:44:44 UTC 
Ping on this issue
Comment 4 Harald Hoyer 2005-09-09 16:04:50 UTC 
WONTFIX until next real issue.