Bug 705100 (CVE-2011-1920)

Summary: CVE-2011-1920 mk-files: insecure temporary file usage
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jakub, jlieskov, jrusnack, kasal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110514,reported=20110514,source=debian,impact=low,cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N,fedora-all/mk-files=affected,rhel-4/pmake=wontfix,cwe=CWE-377
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-21 19:38:29 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 705103    
Bug Blocks:    

Description Vincent Danen 2011-05-16 11:55:39 EDT
A Debian bug report [1] noted that pmake (and mk-files in Fedora) contained the files /usr/share/mk/bsd.{lib,prog}.mk that created temporary files insecurely with predictable file names in /tmp (/tmp/_depend[PID]), ignoring any $TMPDIR values.

In lib.mk:

446 afterdepend: .depend
447     @(TMP=/tmp/_depend$$$$; \
448         sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
449           < .depend > $$TMP; \
450         mv $$TMP .depend)
451 .endif

The same is found in prog.mk (in Fedora's mk-files package).

The Debian bug report proposes to use mktemp here:

-   @(TMP=/tmp/_depend$$$$; \
+   @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \

Upstream has already corrected this by removing the offending code [2],[3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673
[2] http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk.diff?r1=1.239&r2=1.240
[3] http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk.diff?r1=1.192&r2=1.193
Comment 1 Vincent Danen 2011-05-16 12:00:51 EDT
*** Bug 705090 has been marked as a duplicate of this bug. ***
Comment 2 Vincent Danen 2011-05-16 12:02:26 EDT
Created mk-files tracking bugs for this issue

Affects: fedora-all [bug 705103]
Comment 3 Vincent Danen 2011-05-16 12:03:38 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. We do not currently plan to fix this flaw in Red Hat Enterprise Linux 4. If more information becomes available at a future date, we may revisit the issue.
Comment 4 Vincent Danen 2011-05-16 17:52:21 EDT
This was assigned the name CVE-2011-1920.