Bug 461477 (CVE-2008-3521)

Summary: CVE-2008-3521 jasper: temporary file creation race in jas_stream_tmpfile()
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jnovy, rdieter, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-08 13:44:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
OpenBSD patch none

Description Tomas Hoger 2008-09-08 13:30:05 UTC
Marc Espie and Christian Weisgerber of the OpenBSD project reported that jas_stream_tmpfile() function used by jasper to create temporary files uses tmpnam C library function to create temporary names.  Usage of tmpnam function may result in races in temporary file creation.

OpenBSD jasper library patches:
http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/

Comment 1 Tomas Hoger 2008-09-08 13:35:29 UTC
Created attachment 316078 [details]
OpenBSD patch

Comment 2 Tomas Hoger 2008-09-08 13:44:53 UTC
Even though tmpnam is used in jas_stream_tmpfile, subsequent open is called with O_CREAT | O_EXCL flags.  Therefore, this can not be used to overwrite / create new files via symlink attack.

Attacker may possibly be able to create a file with the name returned by tmpnam before open is called, but open will fail in such case and that failure is handled gracefully by jasper.  At worst, this can result in a DoS attack against an application using jasper.  An attacker needs to win a race (not trivial), and the same result can be achieved via easier ways (fill /tmp partition), which are not prevented by mkstemp usage.  Therefore, this will not be treated as a security issue.

As for netpbm, which contains copy (part of) of the jasper code, it uses mkstemp in the recent versions (such as those shipped in Red Hat Enterprise Linux 5 and current Fedora versions).