Bug 745479 (CVE-2011-3618)

Summary: CVE-2011-3618 atop: Insecure temporary file use flaw by management of runtime data
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gilboad, gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 745480, 745481, 745482    
Bug Blocks:    

Description Jan Lieskovsky 2011-10-12 13:46:07 UTC
An insecure temporary file use flaw was found in the way atop, an advanced interactive monitor to view the load on system and process level, has kept its temporary runtime data in temporary files. A local attacker could use this flaw to conduct symlink attacks (make atop to remove file named 'atop.acct' in the linked-to directory).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
[2] http://www.openwall.com/lists/oss-security/2011/10/09/5
    (CVE request)
[3] http://www.openwall.com/lists/oss-security/2011/10/10/10
    (CVE assignment)

Patches applied by Debian Linux distribution:
[5] http://mozilla.mirror.pop-sc.rnp.br/mirror/Debian/pool/main/a/atop/atop_1.23-1+lenny1.diff.gz
    (relevant change)
[6] http://patch-tracker.debian.org/package/atop/1.23-1+lenny1
    (link to patch-tracker Debian patch changes tracking system)
[7] http://patch-tracker.debian.org/patch/misc/view/atop/1.23-1+lenny1/acctproc.c
    (underlying acctproc.c change)
[8] http://patch-tracker.debian.org/patch/misc/view/atop/1.23-1+lenny1/rawlog.c
    (relevant rawlog.c change)

Note: But better to apply patch [5] as a whole (those parts, which are applicable).

Comment 1 Jan Lieskovsky 2011-10-12 13:47:48 UTC
This issue affects the version of the atop package, as shipped with Fedora release of 15 and 14. Please schedule an update.

--

This issue affects the version of the atop package, as present within EPEL-5 and EPEL-4 repositories. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-10-12 13:49:04 UTC
Created atop tracking bugs for this issue

Affects: fedora-all [bug 745480]
Affects: epel-5 [bug 745481]
Affects: epel-4 [bug 745482]

Comment 3 Gwyn Ciesla 2011-10-12 14:46:31 UTC
I think these are addressed in 1.26.  I'll get that out immediately and have a deeper look.

Comment 4 Jan Lieskovsky 2011-10-13 10:52:41 UTC
(In reply to comment #3)
> I think these are addressed in 1.26.  I'll get that out immediately and have a
> deeper look.

Brilliant, thanks Jon.

Comment 5 Jan Lieskovsky 2011-10-13 10:56:55 UTC
This issue has been scheduled to be corrected in the following updates:
1) atop-1.26-1.fc15 for Fedora 15,
2) atop-1.26-1.fc14.1 for Fedora 14,
3) atop-1.26-1.el5.1 for Fedora EPEL 5,
4) atop-1.26-1.el4.1 for Fedora EPEL 4.

These updates have been pushed to particular -testing repositories. Once they have passed the required level of testing, the will be pushed to relevant -stable repositories.