Bug 136314 - CAN-2004-0969 temporary file vulnerabilities in groffer script
Summary: CAN-2004-0969 temporary file vulnerabilities in groffer script
Status: CLOSED DUPLICATE of bug 152840
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: groff
Version: fc2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, 2, NEEDSWORK
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-19 10:06 UTC by Mark J. Cox
Modified: 2007-04-18 17:13 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-09-05 07:52:53 UTC


Attachments (Terms of Use)
tmp_create() function fix in groffer script (522 bytes, patch)
2005-01-27 13:30 UTC, Jindrich Novy
no flags Details | Diff

Description Mark J. Cox 2004-10-19 10:06:16 UTC
On September 10th 2004, Trustix shared some temporary file
vulnerabilities with vendor-sec.  After some refinement these were
made public on Sep30.  These are minor issues (impact: LOW) and
therefore should be fixed in future updates, but don't deserve their
own security advisory.

Temporary file vulnerability in groffer.  Patch attached to bug
136313, however the
patch is for groff-1.19 and the groffer script is very different in
the version shipped in RHEL3.  However there looks to be a similar
temporary file vulnerability that could be fixed in a similar way to
the patch.

Comment 1 Jindrich Novy 2005-01-27 13:30:55 UTC
Created attachment 110290 [details]
tmp_create() function fix in groffer script

Mark, Josh,

I fixed the tmp_create() function that is frequently used within the groffer.
At some places I see constructs like this:

      sh -c '
	set -e;
	_PROCESS_ID="$$";
	_modefile="${_TMP_DIR}/${_PROGRAM_NAME}${_PROCESS_ID}";
	rm -f "${_modefile}";
	mv "${_TMP_CAT}" "${_modefile}";
	rm -f "${_TMP_CAT}";
	cat "${_modefile}" | \
	(
	  clean_up()
	  {
	    rm -f "${_modefile}";
	  }
	  trap clean_up EXIT 2>/dev/null || true;
	  eval "${_groggy}" "${_ADDOPTS_GROFF}";
	) &'
      ;;

Is this also considered as an security issue? I think file name
generation based on PID isn't too good, but in this case it's rather safe,
right? If so, the attached patch is sufficient to fix this.

Comment 2 Josh Bressers 2005-01-27 16:18:40 UTC
This is still not going to be an appropriate fix.  It's better than it was, but
there is still a potential race condition.  Ideally /bin/mktemp should be used,
with an approprate umask set before the temp file is created to prevent an
information leak.

Comment 3 Matthew Miller 2005-04-11 22:18:54 UTC
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]

Comment 4 Marc Deslauriers 2005-04-20 23:09:29 UTC
See also bug 136313 and bug 152840.

Comment 5 Aleksey Nogin 2005-06-09 01:17:56 UTC
See also Bug 90631 ("1.19.1 is latest release")

Comment 6 David Eisenstein 2005-09-05 07:19:00 UTC
Why don't we (Fedora Legacy) combine this bug with 152840 so we can have all
things groffer in one place?

Comment 7 Pekka Savola 2005-09-05 07:52:53 UTC
Sure, why not... merging these two..

*** This bug has been marked as a duplicate of 152840 ***


Note You need to log in before you can comment on or make changes to this bug.