Bug 223233 (CVE-2007-0007)

Summary: CVE-2007-0007 gnucash happily overwrites files at /tmp
Product: [Fedora] Fedora Reporter: Sami Farin <hvtaifwkbgefbaei>
Component: gnucashAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: rvokal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-27 17:37:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sami Farin 2007-01-18 16:09:15 UTC 
Description of problem:
gnucash ignores env vars TMP TMPDIR TEMP TEMPDIR and happily
opens with modes O_WRONLY|O_CREAT|O_TRUNC (forgets O_EXCL),
allowing easy overwrite of gnucash user's files
in case of many users on the same system
or some evil program having access to /tmp.

Version-Release number of selected component (if applicable):
2.0.4-1

How reproducible:
always

Steps to Reproduce:
1. start gnucash
2.
3.
  
Actual results:
19621 17:56:45.850053 open("/tmp/gnucash.trace",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000034>
19621 17:56:45.850143 open("/tmp/qof.trace",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000028>
19621 17:56:45.850271 open("/tmp/qof.trace.19621",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 19 <0.000200>


Expected results:
using my temp dirs or flag O_EXCL to open().

Additional info:
Comment 1 Josh Bressers 2007-01-18 18:45:18 UTC 
I'm giving this CVE-2007-0007.  Sami, do you mind if I share this information
with the Vendor Security mailing list?  It is a group of trusted vendors who
would appreciate a notification of this flaw.  Additionally do you have a date
in mind to make this flaw public?  If you don't care, I'd be happy to work one
out with the other affected vendors.

Thanks for the report.
Comment 2 Sami Farin 2007-01-18 20:58:13 UTC 
You can do the CVE dance and share the info.

You can work out the publication if you want to...
but if you forget to do it, I do it on Feb 19 2007.

If you need to use my email, safari-fedora.fi
is for that purpose, let's use this bugzilla email for bugzilla.
Comment 4 Josh Bressers 2007-02-19 17:30:11 UTC 
This flaw is now public:
http://secunia.com/advisories/24225/
Comment 5 Fedora Update System 2007-02-19 18:41:50 UTC 
gnucash-2.0.5-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 6 Fedora Update System 2007-02-27 16:49:19 UTC 
gnucash-2.0.5-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.