Bug 162978

Summary: CAN-2005-2104 sysreport insecure temporary directory usage
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: sysreportAssignee: Ngo Than <than>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,embargo=20050809,source=secalert,reported=20050711
Fixed In Version: RHSA-2005-598 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-09 12:07:28 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Josh Bressers 2005-07-11 18:48:40 EDT
sysreport creates a temporary directory in an insecure manner.

umask 0077

ROOT should be something like
ROOT=`mktemp -d /tmp/sysreport.XXXXXXXX`

It is possible for a local attacker to cause a race condition and trick
sysreport into writing its output to a directory the attacker can read.
Comment 1 Josh Bressers 2005-07-11 18:49:41 EDT
This issue should also affect RHEL2.1 and RHEL3
Comment 2 Josh Bressers 2005-07-11 18:52:20 EDT
This issue was discovered by Bill Stearns
Comment 3 Ngo Than 2005-07-12 06:31:59 EDT
it's now fixed in sysreport-1.3.15-3 (RHEL4), sysreport- (RHEL3) and
sysreport- (RHEL2.1).
Comment 4 Josh Bressers 2005-08-09 11:32:46 EDT
Lifting embargo
Comment 5 Red Hat Bugzilla 2005-08-09 12:07:28 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 6 Fedora Update System 2005-11-10 12:18:35 EST
From User-Agent: XML-RPC

sysreport-1.4.1-5 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.