Kurt Seifried of Red Hat Product Security reports: There are several temporary file creation vulnerabilities: In the file ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; and in the file: ./389-admin-1.1.36/lib/libadmin/httpcon.c char *dbd = "/tmp/http_trace.%d"; The perl code should use mkstemp() and the C code should use mkstemp(). These issues are only locally exploitable and require administrative action in order to exploit.
Statement: This issue affects the versions of 389-admin as shipped with Red Hat Directory Server 9.1. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created 389-admin tracking bugs for this issue: Affects: fedora-all [bug 1183153] Affects: epel-all [bug 1183154]
Acknowledgement: This issue was discovered by Kurt Seifried of Red Hat Product Security.
Hi Kurt, I took a look at the 2 cases you pointed out. 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; Luckily, the code was introduced by this bug for RHDS10.0 which is not released at all including fedora and epel. https://bugzilla.redhat.com/show_bug.cgi?id=1173252 Thus, we could just reopen this bug (and the corresponding ticket to take care of the /tmp issue. 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c And this is a pure debug code which does not get built with DEBUG_TRACE enabled. Probably, we could comment out "/tmp/http_trace.%d" part. But I don't think it is a target of CVE. /* #define DEBUG_TRACE 1 */ #undef DEBUG_TRACE #ifdef DEBUG_TRACE FILE *dbf = NULL; int numconns = 0; char *dbd = "/tmp/http_trace.%d"; char dbp[256]; #endif That's being said, could it be possible to close this CVE bug and let us work on the 2 issues as a normal issue for DS10? Thanks!!
(In reply to Noriko Hosoi from comment #5) > Hi Kurt, > > I took a look at the 2 cases you pointed out. > > 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in > my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; > > Luckily, the code was introduced by this bug for RHDS10.0 which is not > released at all including fedora and epel. > https://bugzilla.redhat.com/show_bug.cgi?id=1173252 > Thus, we could just reopen this bug (and the corresponding ticket to take > care of the /tmp issue. > > 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c > > And this is a pure debug code which does not get built with DEBUG_TRACE > enabled. Probably, we could comment out "/tmp/http_trace.%d" part. But I > don't think it is a target of CVE. > /* #define DEBUG_TRACE 1 */ > #undef DEBUG_TRACE > > #ifdef DEBUG_TRACE > FILE *dbf = NULL; > int numconns = 0; > char *dbd = "/tmp/http_trace.%d"; > char dbp[256]; > #endif > > That's being said, could it be possible to close this CVE bug and let us > work on the 2 issues as a normal issue for DS10? Thanks!! Apologies, this was not marked NEEDINFO so I didn't see it in my BZ spam. It appears this was fixed, so closing CURRENTRELEASE.