Bug 166365

Summary: CAN-2005-2693 CVS temporary file issue
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: cvsAssignee: Martin Stransky <stransky>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,reported=20050819,source=vendorsec
Fixed In Version: RHSA-2005-756 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-06 13:41:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-08-19 19:39:23 UTC 
Insecure temporary file usage was found in the cvsbug program.  It is possible
that a malicious user could leverage this issue to execute arbitrary
instructions as the user running cvsbug.

Here is the suggested patch

Index: cvs-1.12.12/src/cvsbug.in
===================================================================
--- cvs-1.12.12.orig/src/cvsbug.in
+++ cvs-1.12.12/src/cvsbug.in
@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
     ORIGINATOR="`cat $TEMP`"
-    rm -f $TEMP
+    > $TEMP
   fi
 fi

 if [ "$ORIGINATOR" = "" ]; then
   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
   ORIGINATOR="`cat $TEMP`"
-  rm -f $TEMP
+  > $TEMP
 fi

 if [ -n "$ORGANIZATION" ]; then


Additionally, OWL has a number of additional temporary file fixes, most of which
are not security related:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/cvs/
Comment 1 Josh Bressers 2005-08-19 19:41:54 UTC 
This issue should affect RHEL2.1 and RHEL3 as well.
Comment 2 Martin Stransky 2005-08-22 15:12:39 UTC 
I'm not sure, if this patch solves any problem (what is different if you change
"rm -f" to ">" when it comes to security?) and are you sure that is this a
security issue? The only attack that I can imagine is setting the $TMPDIR
variable to any malicious value, but this can do the user himself or root only,
so I don't see a problem here... Or is there any other problem?
Comment 3 Josh Bressers 2005-08-22 15:19:42 UTC 
It could be.  It will really depend on the usage (I honestly don't know, I've
not fully investigated this).  By using rm -f, you are removing the file, which
could allow a malicious user (unlikely, but possible) to create a new file
before you do.  Depending how the contents of the file are then used, it could
let an attacker run arbitrary commands.

">" just overwrites the file, keeping permissions so is safer.
Comment 4 Martin Stransky 2005-08-23 09:07:07 UTC 
okay. Is this issue planned for async errata?
Comment 5 Red Hat Bugzilla 2005-09-06 13:41:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-756.html