Bug 136314 - CAN-2004-0969 temporary file vulnerabilities in groffer script
CAN-2004-0969 temporary file vulnerabilities in groffer script
Status: CLOSED DUPLICATE of bug 152840
Product: Fedora Legacy
Classification: Retired
Component: groff (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 2, NEEDSWORK
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-19 06:06 EDT by Mark J. Cox (Product Security)
Modified: 2007-04-18 13:13 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-05 03:52:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
tmp_create() function fix in groffer script (522 bytes, patch)
2005-01-27 08:30 EST, Jindrich Novy
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2004-10-19 06:06:16 EDT
On September 10th 2004, Trustix shared some temporary file
vulnerabilities with vendor-sec.  After some refinement these were
made public on Sep30.  These are minor issues (impact: LOW) and
therefore should be fixed in future updates, but don't deserve their
own security advisory.

Temporary file vulnerability in groffer.  Patch attached to bug
136313, however the
patch is for groff-1.19 and the groffer script is very different in
the version shipped in RHEL3.  However there looks to be a similar
temporary file vulnerability that could be fixed in a similar way to
the patch.
Comment 1 Jindrich Novy 2005-01-27 08:30:55 EST
Created attachment 110290 [details]
tmp_create() function fix in groffer script

Mark, Josh,

I fixed the tmp_create() function that is frequently used within the groffer.
At some places I see constructs like this:

      sh -c '
	set -e;
	_PROCESS_ID="$$";
	_modefile="${_TMP_DIR}/${_PROGRAM_NAME}${_PROCESS_ID}";
	rm -f "${_modefile}";
	mv "${_TMP_CAT}" "${_modefile}";
	rm -f "${_TMP_CAT}";
	cat "${_modefile}" | \
	(
	  clean_up()
	  {
	    rm -f "${_modefile}";
	  }
	  trap clean_up EXIT 2>/dev/null || true;
	  eval "${_groggy}" "${_ADDOPTS_GROFF}";
	) &'
      ;;

Is this also considered as an security issue? I think file name
generation based on PID isn't too good, but in this case it's rather safe,
right? If so, the attached patch is sufficient to fix this.
Comment 2 Josh Bressers 2005-01-27 11:18:40 EST
This is still not going to be an appropriate fix.  It's better than it was, but
there is still a potential race condition.  Ideally /bin/mktemp should be used,
with an approprate umask set before the temp file is created to prevent an
information leak.
Comment 3 Matthew Miller 2005-04-11 18:18:54 EDT
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Comment 4 Marc Deslauriers 2005-04-20 19:09:29 EDT
See also bug 136313 and bug 152840.
Comment 5 Aleksey Nogin 2005-06-08 21:17:56 EDT
See also Bug 90631 ("1.19.1 is latest release")
Comment 6 David Eisenstein 2005-09-05 03:19:00 EDT
Why don't we (Fedora Legacy) combine this bug with 152840 so we can have all
things groffer in one place?
Comment 7 Pekka Savola 2005-09-05 03:52:53 EDT
Sure, why not... merging these two..

*** This bug has been marked as a duplicate of 152840 ***

Note You need to log in before you can comment on or make changes to this bug.