Bug 166365 - CAN-2005-2693 CVS temporary file issue
CAN-2005-2693 CVS temporary file issue
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cvs (Show other bugs)
4.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Martin Stransky
Ben Levenson
impact=low,reported=20050819,source=v...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-19 15:39 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2005-756
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-06 09:41:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-08-19 15:39:23 EDT
Insecure temporary file usage was found in the cvsbug program.  It is possible
that a malicious user could leverage this issue to execute arbitrary
instructions as the user running cvsbug.

Here is the suggested patch

Index: cvs-1.12.12/src/cvsbug.in
===================================================================
--- cvs-1.12.12.orig/src/cvsbug.in
+++ cvs-1.12.12/src/cvsbug.in
@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
     ORIGINATOR="`cat $TEMP`"
-    rm -f $TEMP
+    > $TEMP
   fi
 fi

 if [ "$ORIGINATOR" = "" ]; then
   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
   ORIGINATOR="`cat $TEMP`"
-  rm -f $TEMP
+  > $TEMP
 fi

 if [ -n "$ORGANIZATION" ]; then


Additionally, OWL has a number of additional temporary file fixes, most of which
are not security related:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/cvs/
Comment 1 Josh Bressers 2005-08-19 15:41:54 EDT
This issue should affect RHEL2.1 and RHEL3 as well.
Comment 2 Martin Stransky 2005-08-22 11:12:39 EDT
I'm not sure, if this patch solves any problem (what is different if you change
"rm -f" to ">" when it comes to security?) and are you sure that is this a
security issue? The only attack that I can imagine is setting the $TMPDIR
variable to any malicious value, but this can do the user himself or root only,
so I don't see a problem here... Or is there any other problem?
Comment 3 Josh Bressers 2005-08-22 11:19:42 EDT
It could be.  It will really depend on the usage (I honestly don't know, I've
not fully investigated this).  By using rm -f, you are removing the file, which
could allow a malicious user (unlikely, but possible) to create a new file
before you do.  Depending how the contents of the file are then used, it could
let an attacker run arbitrary commands.

">" just overwrites the file, keeping permissions so is safer.
Comment 4 Martin Stransky 2005-08-23 05:07:07 EDT
okay. Is this issue planned for async errata?
Comment 5 Red Hat Bugzilla 2005-09-06 09:41:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-756.html

Note You need to log in before you can comment on or make changes to this bug.