Bug 158995 (CVE-2005-1751) - CVE-2005-1751 shtool: insecure temporary file creation
Summary: CVE-2005-1751 shtool: insecure temporary file creation
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2005-1751
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-27 15:22 UTC by Josh Bressers
Modified: 2022-05-03 11:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-29 14:38:48 UTC
Embargoed:


Attachments (Terms of Use)
Upstream fix (1.31 KB, patch)
2011-06-29 15:46 UTC, Tomas Hoger
no flags Details | Diff

Description Josh Bressers 2005-05-27 15:22:07 UTC
Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.
http://www.zataz.net/adviso/shtool-05252005.txt

nmap contains shtool in its source.

Comment 1 Josh Bressers 2005-05-27 15:23:16 UTC
This issue should also affect RHEL2.1 and RHEL3

Comment 2 Harald Hoyer 2005-06-09 13:14:11 UTC
shtool is only used in the build process. So a user can only be compromised,
when he rebuilds nmap..

Comment 3 Josh Bressers 2005-06-09 13:15:52 UTC
Correct, please just keep this fix on the shelf for the next nmap update.

Comment 4 Tomas Hoger 2011-06-29 14:38:48 UTC
Red Hat Enterprise Linux 2.1 and 3 reached end of life already.  Red Hat Enterprise Linux 4 is in the Production 3 phase of its life cycle:

https://access.redhat.com/support/policy/updates/errata/

There is no plan to address this flaw in Red Hat Enterprise Linux 4, as it does not affect binary nmap packages, and is only a problem during the package rebuilds.

Comment 5 Tomas Hoger 2011-06-29 15:46:57 UTC
Created attachment 510494 [details]
Upstream fix

Upstream change extracted from 2.0.1 -> 2.0.2 diff.  Noted for posterity.

Comment 6 Tomas Hoger 2011-06-29 15:55:32 UTC
I have double-checked shtool version bundled with nmap sources in Red Hat Enterprise Linux 3 and 4.  That version did not contain relevant code for creating temporary files, and hence were not affected by this problem.


This issue was addressed in the shtool version embedded with PHP versions in Red Hat Enterprise Linux 3 and 4:
https://www.redhat.com/security/data/cve/CVE-2005-1751.html

Upstream PHP bug indicates affected code was not used during PHP build:
https://bugs.php.net/bug.php?id=33150


The shtool version containing this bug is part of openldap sources (RHEL-4 and compat in RHEL-5) and rrdtool sources (RHEL-6), but the affected code is not used.


Other components embedding shtool shipped in Red Hat Enterprise Linux contain patched upstream shtool version (php, openldap, pth, nmap in RHEL-5 and RHEL-6, and lzo, lzop, uuid in RHEL-6).


Note You need to log in before you can comment on or make changes to this bug.