Bug 251200 (CVE-2007-3852)

Summary: CVE-2007-3852 sysstat insecure temporary file usage
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, varekova, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 14:22:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 252295, 252296, 716959    
Bug Blocks:    

Description Josh Bressers 2007-08-07 18:51:43 UTC 
Julien L. reported a bug in the way sysstat creates a temporary file during startup.

    Introduction
    ------------

    Sysstat package provides the sar and iostat commands for Linux. Sar and
    iostat enable system monitoring of disk, network, and other IO activity.

    When sysstat service starts or restarts, a part of the sysstat script
    located in the /etc/init.d directory is executed.

    /etc/init.d/sysstat (from a Red Hat EL5 distribution):
    ...
    31 rm -f /tmp/sysstat.run
    32
    33 # See how we were called.
    34 case "$1" in
    35 start)
    36 echo -n "Calling the system activity data collector (sadc): "
    37 /usr/lib/sa/sadc -F -L - && touch /tmp/sysstat.run
    38
    ...

    The temporary file "sysstat.run" is created in an insecure manner in the
    tmp directory. A simple user is abble to create a file wherever on the
    system using a symlink attack.

This flaw is only exploitable when the sysstat service is issued a "start"
command.  This is only exploitable by a local user when the system switches
runlevels (the most likely being the move from runlevel 3 to runlevel 5 during
startup).  It's also possible if an admin run "service sysstat start".
Running "service sysstat restart" will not trigger the flaw.
Comment 2 Lubomir Kundrak 2007-08-15 06:25:46 UTC 
Reference to Gentoo bugzilla, contains a patch:
http://bugs.gentoo.org/show_bug.cgi?id=188808
Comment 5 errata-xmlrpc 2011-07-21 10:39:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html
Comment 6 errata-xmlrpc 2011-07-21 12:10:20 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html
Comment 7 Jan Lieskovsky 2011-07-21 14:21:41 UTC 
Statement:

This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.