Bug 219279
| Summary: | CVE-2006-6698 GConfd uses non-unique directory name in /tmp leading to local DoS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Lubomir Kundrak <lkundrak> |
| Component: | GConf2 | Assignee: | Ray Strode [halfline] <rstrode> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.4 | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | source=redhat;reported=2006-12-12;impact=moderate | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-06-21 18:04:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 219280, 219281 | ||
This corresponds to following Gnome bugzilla entries: http://bugzilla.gnome.org/show_bug.cgi?id=167030 http://bugzilla.gnome.org/show_bug.cgi?id=141138 Closing this bug WONTFIX. See the explanation in bug 219281 for more details. |
Description of problem: GConf uses the directory /tmp/gconfd-$LOGNAME for storing a lock file (and possibly some other stuff -- I do not know, I know nearly nothing about GConf) even if GCONF_GLOBAL_LOCKS environment is not set. As the /tmp directory is sticky, it is possible for any user to create the directory with this name prior to first login of a new user, effectively preventing it from using GConf clients. The impact of this is quite serious, as the user can't use most of Gnome, Evolution, etc. and it's quite hard for a non-technican user to work it around. Additionaly, I think any temporary directory and file should disappear when application terminates. It is obvious that it is not a good practice not to do so. Version-Release number of selected component (if applicable): At least FC5 and FC6's GConf. How reproducible: Before user logs in/launches GConfd for the first time. Some systems erase /tmp at each startup or use memory-based filesystem for it. In that case the problem is reproducible after each startup. Steps to Reproduce: This migh be obvious enough while (true); do touch /tmp/gconfd-$(tail -n1 /etc/passwd |awk -F: '{print $1}'); done