Bug 435420 (CVE-2008-1078)

Summary: CVE-2008-1078 am-utils: insecure usage of temporary files
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kzak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1078
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:33:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 437746    
Bug Blocks:    

Description Tomas Hoger 2008-02-29 07:58:10 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1078 to the following vulnerability:

expn in the am-utils and net-fs packages for Gentoo rPath Linux, and
other distributions, allows local users to overwrite arbitrary files
via a symlink attack on the expn[PID] temporary file.  NOTE: this is
the same issue as CVE-2003-0308.1.

References:
http://bugs.gentoo.org/show_bug.cgi?id=210158
Comment 1 Tomas Hoger 2008-02-29 08:02:53 UTC 
Suggested patch:

--- expn.orig   2008-02-14 15:34:05.083376000 +0000
+++ expn        2008-02-14 15:37:11.380887000 +0000
@@ -9,6 +9,7 @@
 # hardcoded constants, should work fine for BSD-based systems
 #require 'sys/socket.ph';      # perl 4
 use Socket;                    # perl 5
+use Fcntl;
 $AF_INET = &AF_INET;
 $SOCK_STREAM = &SOCK_STREAM;
 
@@ -1009,7 +1010,7 @@
        }
 
        $0 = "$av0 - nslookup of $server";
-       open(T,">/tmp/expn$$") || die "open > /tmp/expn$$: $!\n";  
+       sysopen(T,"/tmp/expn$$", O_EXCL | O_CREAT) || die "open > /tmp/expn$$:
$!\n";
        print T "set querytype=MX\n";
        print T "$server\n";
        close(T);
Comment 2 Josh Bressers 2008-03-04 19:10:45 UTC 
I'm going to wontfix this flaw.  The time and effort required to fix it is far
greater than the possible damage is can do.

After investigating the source for all of Red Hat Enterprise Linux, it was noted
that nothing shipped ever runs this tool.  This means that the only possible way
this can be exploited is if an admin runs it manually, or via a custom script.

If you feel this analysis if flawed, please feel free to add a comment.
Comment 4 Tomas Hoger 2008-03-17 08:34:26 UTC 
No package in Fedora 8 depends on am-utils or /usr/bin/expn.

I've created tracking bug for Fedora rawhide, so that this issue gets fixed for
future versions of Fedora and Red Hat Enterprise Linux.
Comment 5 Fedora Update System 2008-12-02 13:29:58 UTC 
am-utils-6.1.5-8.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/am-utils-6.1.5-8.1.fc9
Comment 6 Fedora Update System 2009-01-07 09:33:47 UTC 
am-utils-6.1.5-8.1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.