Bug 158995 - (CVE-2005-1751) CVE-2005-1751 shtool: insecure temporary file creation
CVE-2005-1751 shtool: insecure temporary file creation
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-05-27 11:22 EDT by Josh Bressers
Modified: 2016-03-04 05:55 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-06-29 10:38:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream fix (1.31 KB, patch)
2011-06-29 11:46 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-05-27 11:22:07 EDT
Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.

nmap contains shtool in its source.
Comment 1 Josh Bressers 2005-05-27 11:23:16 EDT
This issue should also affect RHEL2.1 and RHEL3
Comment 2 Harald Hoyer 2005-06-09 09:14:11 EDT
shtool is only used in the build process. So a user can only be compromised,
when he rebuilds nmap..
Comment 3 Josh Bressers 2005-06-09 09:15:52 EDT
Correct, please just keep this fix on the shelf for the next nmap update.
Comment 4 Tomas Hoger 2011-06-29 10:38:48 EDT
Red Hat Enterprise Linux 2.1 and 3 reached end of life already.  Red Hat Enterprise Linux 4 is in the Production 3 phase of its life cycle:


There is no plan to address this flaw in Red Hat Enterprise Linux 4, as it does not affect binary nmap packages, and is only a problem during the package rebuilds.
Comment 5 Tomas Hoger 2011-06-29 11:46:57 EDT
Created attachment 510494 [details]
Upstream fix

Upstream change extracted from 2.0.1 -> 2.0.2 diff.  Noted for posterity.
Comment 6 Tomas Hoger 2011-06-29 11:55:32 EDT
I have double-checked shtool version bundled with nmap sources in Red Hat Enterprise Linux 3 and 4.  That version did not contain relevant code for creating temporary files, and hence were not affected by this problem.

This issue was addressed in the shtool version embedded with PHP versions in Red Hat Enterprise Linux 3 and 4:

Upstream PHP bug indicates affected code was not used during PHP build:

The shtool version containing this bug is part of openldap sources (RHEL-4 and compat in RHEL-5) and rrdtool sources (RHEL-6), but the affected code is not used.

Other components embedding shtool shipped in Red Hat Enterprise Linux contain patched upstream shtool version (php, openldap, pth, nmap in RHEL-5 and RHEL-6, and lzo, lzop, uuid in RHEL-6).

Note You need to log in before you can comment on or make changes to this bug.