Bug 166365 - CAN-2005-2693 CVS temporary file issue
CAN-2005-2693 CVS temporary file issue
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cvs (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Martin Stransky
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-08-19 15:39 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2005-756
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-06 09:41:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-08-19 15:39:23 EDT
Insecure temporary file usage was found in the cvsbug program.  It is possible
that a malicious user could leverage this issue to execute arbitrary
instructions as the user running cvsbug.

Here is the suggested patch

Index: cvs-1.12.12/src/cvsbug.in
--- cvs-1.12.12.orig/src/cvsbug.in
+++ cvs-1.12.12/src/cvsbug.in
@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
     ORIGINATOR="`cat $TEMP`"
-    rm -f $TEMP
+    > $TEMP

 if [ "$ORIGINATOR" = "" ]; then
   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
-  rm -f $TEMP
+  > $TEMP

 if [ -n "$ORGANIZATION" ]; then

Additionally, OWL has a number of additional temporary file fixes, most of which
are not security related:
Comment 1 Josh Bressers 2005-08-19 15:41:54 EDT
This issue should affect RHEL2.1 and RHEL3 as well.
Comment 2 Martin Stransky 2005-08-22 11:12:39 EDT
I'm not sure, if this patch solves any problem (what is different if you change
"rm -f" to ">" when it comes to security?) and are you sure that is this a
security issue? The only attack that I can imagine is setting the $TMPDIR
variable to any malicious value, but this can do the user himself or root only,
so I don't see a problem here... Or is there any other problem?
Comment 3 Josh Bressers 2005-08-22 11:19:42 EDT
It could be.  It will really depend on the usage (I honestly don't know, I've
not fully investigated this).  By using rm -f, you are removing the file, which
could allow a malicious user (unlikely, but possible) to create a new file
before you do.  Depending how the contents of the file are then used, it could
let an attacker run arbitrary commands.

">" just overwrites the file, keeping permissions so is safer.
Comment 4 Martin Stransky 2005-08-23 05:07:07 EDT
okay. Is this issue planned for async errata?
Comment 5 Red Hat Bugzilla 2005-09-06 09:41:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.