Bug 158995 - (CVE-2005-1751) CVE-2005-1751 shtool: insecure temporary file creation
CVE-2005-1751 shtool: insecure temporary file creation
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20050524,reported=20050526,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-27 11:22 EDT by Josh Bressers
Modified: 2016-03-04 05:55 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-29 10:38:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream fix (1.31 KB, patch)
2011-06-29 11:46 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-05-27 11:22:07 EDT
Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.
http://www.zataz.net/adviso/shtool-05252005.txt

nmap contains shtool in its source.
Comment 1 Josh Bressers 2005-05-27 11:23:16 EDT
This issue should also affect RHEL2.1 and RHEL3
Comment 2 Harald Hoyer 2005-06-09 09:14:11 EDT
shtool is only used in the build process. So a user can only be compromised,
when he rebuilds nmap..
Comment 3 Josh Bressers 2005-06-09 09:15:52 EDT
Correct, please just keep this fix on the shelf for the next nmap update.
Comment 4 Tomas Hoger 2011-06-29 10:38:48 EDT
Red Hat Enterprise Linux 2.1 and 3 reached end of life already.  Red Hat Enterprise Linux 4 is in the Production 3 phase of its life cycle:

https://access.redhat.com/support/policy/updates/errata/

There is no plan to address this flaw in Red Hat Enterprise Linux 4, as it does not affect binary nmap packages, and is only a problem during the package rebuilds.
Comment 5 Tomas Hoger 2011-06-29 11:46:57 EDT
Created attachment 510494 [details]
Upstream fix

Upstream change extracted from 2.0.1 -> 2.0.2 diff.  Noted for posterity.
Comment 6 Tomas Hoger 2011-06-29 11:55:32 EDT
I have double-checked shtool version bundled with nmap sources in Red Hat Enterprise Linux 3 and 4.  That version did not contain relevant code for creating temporary files, and hence were not affected by this problem.


This issue was addressed in the shtool version embedded with PHP versions in Red Hat Enterprise Linux 3 and 4:
https://www.redhat.com/security/data/cve/CVE-2005-1751.html

Upstream PHP bug indicates affected code was not used during PHP build:
https://bugs.php.net/bug.php?id=33150


The shtool version containing this bug is part of openldap sources (RHEL-4 and compat in RHEL-5) and rrdtool sources (RHEL-6), but the affected code is not used.


Other components embedding shtool shipped in Red Hat Enterprise Linux contain patched upstream shtool version (php, openldap, pth, nmap in RHEL-5 and RHEL-6, and lzo, lzop, uuid in RHEL-6).

Note You need to log in before you can comment on or make changes to this bug.