Bug 159003

Summary: CAN-2005-1751 shtool insecure temporary file creation
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: ncpfsAssignee: Jiri Ryska <jryska>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: low Docs Contact:
Priority: medium    
Version: 3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20050524,source=vendor-sec,reported=20050526
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-01 12:39:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-05-27 15:41:34 UTC 
Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.
http://www.zataz.net/adviso/shtool-05252005.txt

ncpfs contains shtool in its source.
Comment 1 Josh Bressers 2005-05-27 15:41:59 UTC 
This issue should also affect FC4
Comment 2 Jiri Ryska 2005-06-01 12:39:48 UTC 
Ncpfs contains shtool in its source but it is not original shtool. It is only
small part of it. The part of code which create temporary file is in if sequence
and its condition can never be true. 
Code:
...
gen_tmpfile=no
...
if [ ".$gen_tmpfile" = .yes ]; then
    ...
    tmpfile="$tmpdir/.shtool.$$"
    rm -f $tmpfile >/dev/null 2>&1
    touch $tmpfile
fi