Bug 461477 (CVE-2008-3521)
Summary: | CVE-2008-3521 jasper: temporary file creation race in jas_stream_tmpfile() | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | jnovy, rdieter, rjones | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-09-08 13:44:53 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tomas Hoger
2008-09-08 13:30:05 UTC
Created attachment 316078 [details]
OpenBSD patch
Even though tmpnam is used in jas_stream_tmpfile, subsequent open is called with O_CREAT | O_EXCL flags. Therefore, this can not be used to overwrite / create new files via symlink attack. Attacker may possibly be able to create a file with the name returned by tmpnam before open is called, but open will fail in such case and that failure is handled gracefully by jasper. At worst, this can result in a DoS attack against an application using jasper. An attacker needs to win a race (not trivial), and the same result can be achieved via easier ways (fill /tmp partition), which are not prevented by mkstemp usage. Therefore, this will not be treated as a security issue. As for netpbm, which contains copy (part of) of the jasper code, it uses mkstemp in the recent versions (such as those shipped in Red Hat Enterprise Linux 5 and current Fedora versions). |