Bug 166365 - CAN-2005-2693 CVS temporary file issue
Summary: CAN-2005-2693 CVS temporary file issue
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cvs   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Martin Stransky
QA Contact: Ben Levenson
Whiteboard: impact=low,reported=20050819,source=v...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-08-19 19:39 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHSA-2005-756
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-06 13:41:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:756 normal SHIPPED_LIVE Low: cvs security update 2005-09-06 04:00:00 UTC

Description Josh Bressers 2005-08-19 19:39:23 UTC
Insecure temporary file usage was found in the cvsbug program.  It is possible
that a malicious user could leverage this issue to execute arbitrary
instructions as the user running cvsbug.

Here is the suggested patch

Index: cvs-1.12.12/src/cvsbug.in
--- cvs-1.12.12.orig/src/cvsbug.in
+++ cvs-1.12.12/src/cvsbug.in
@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
     ORIGINATOR="`cat $TEMP`"
-    rm -f $TEMP
+    > $TEMP

 if [ "$ORIGINATOR" = "" ]; then
   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
-  rm -f $TEMP
+  > $TEMP

 if [ -n "$ORGANIZATION" ]; then

Additionally, OWL has a number of additional temporary file fixes, most of which
are not security related:

Comment 1 Josh Bressers 2005-08-19 19:41:54 UTC
This issue should affect RHEL2.1 and RHEL3 as well.

Comment 2 Martin Stransky 2005-08-22 15:12:39 UTC
I'm not sure, if this patch solves any problem (what is different if you change
"rm -f" to ">" when it comes to security?) and are you sure that is this a
security issue? The only attack that I can imagine is setting the $TMPDIR
variable to any malicious value, but this can do the user himself or root only,
so I don't see a problem here... Or is there any other problem?

Comment 3 Josh Bressers 2005-08-22 15:19:42 UTC
It could be.  It will really depend on the usage (I honestly don't know, I've
not fully investigated this).  By using rm -f, you are removing the file, which
could allow a malicious user (unlikely, but possible) to create a new file
before you do.  Depending how the contents of the file are then used, it could
let an attacker run arbitrary commands.

">" just overwrites the file, keeping permissions so is safer.

Comment 4 Martin Stransky 2005-08-23 09:07:07 UTC
okay. Is this issue planned for async errata?

Comment 5 Red Hat Bugzilla 2005-09-06 13:41:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.