Bug 461501 (CVE-2008-3927)

Summary: CVE-2008-3927 tiger: insecure temporary file use in genmsgidx
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-10 22:08:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 665464    
Bug Blocks:    
Attachments:
Description Flags
Patch used by Debian maintainer
none
Patch using mktemp
none
Patch that completely removes temporary file usage none

Description Tomas Hoger 2008-09-08 16:15:27 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3927 to the following vulnerability:

genmsgidx in Tiger 3.2.2 allows local users to overwrite or delete arbitrary files via a symlink attack on temporary files.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496415
http://secunia.com/advisories/31659
Comment 1 Tomas Hoger 2008-09-08 16:18:40 UTC 
Shipped in Fedora as /usr/lib/tiger/util/genmsgidx

According to the Debian bug, this script is not needed in runtime, only in packages built time.  If that is the case, removing it completely may be a solution.
Comment 2 Tomas Hoger 2008-09-08 16:20:59 UTC 
Created attachment 316103 [details]
Patch used by Debian maintainer

Uses tempfile from debianutils and fallback to previous insecure way when it's not available.
Comment 3 Tomas Hoger 2008-09-08 16:22:17 UTC 
Created attachment 316104 [details]
Patch using mktemp
Comment 4 Tomas Hoger 2008-09-08 16:29:05 UTC 
Created attachment 316105 [details]
Patch that completely removes temporary file usage

It should be possibly to do the same functionality without need of temporary file.

Actually, if we only care about Fedora, we can assume that [ accepts -x option and skip test completely.  bash version of [ seems to support -x even in version shipped in Red Hat Enterprise Linux 2.1, coreutils version of [ seems to support it as of Red Hat Enterprise Linux 4.

If we that script to work on older systems, I'd probably go with this patch not using any temporary file.
Comment 5 Vincent Danen 2010-12-23 22:42:48 UTC 
Wow.  This was reported two years ago, has a working patch, and it was never fixed.
Comment 6 Vincent Danen 2010-12-23 22:45:05 UTC 
Created tiger tracking bugs for this issue

Affects: fedora-all [bug 665464]
Comment 7 Vincent Danen 2012-09-10 22:08:11 UTC 
This file seems to no longer exist in any version of tigervnc that we ship.
Comment 8 Tomas Hoger 2012-09-10 22:16:08 UTC 
(In reply to comment #7)
> This file seems to no longer exist in any version of tigervnc that we ship.

Note that this bug is for tiger (Security auditing on UNIX systems), not tigervnc.  It seem tiger was removed form Fedora before F15.
Comment 9 Vincent Danen 2012-09-10 22:50:41 UTC 
Hah, don't know why I was looking at tigervnc.  The file doesn't exist anywhere in Fedora anyways.  Thanks for the double-check.