Bug 166365 - CAN-2005-2693 CVS temporary file issue
Summary: CAN-2005-2693 CVS temporary file issue
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cvs
Version: 4.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
: ---
Assignee: Martin Stransky
QA Contact: Ben Levenson
URL:
Whiteboard: impact=low,reported=20050819,source=v...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-19 19:39 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHSA-2005-756
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-06 13:41:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:756 0 normal SHIPPED_LIVE Low: cvs security update 2005-09-06 04:00:00 UTC

Description Josh Bressers 2005-08-19 19:39:23 UTC 
Insecure temporary file usage was found in the cvsbug program.  It is possible
that a malicious user could leverage this issue to execute arbitrary
instructions as the user running cvsbug.

Here is the suggested patch

Index: cvs-1.12.12/src/cvsbug.in
===================================================================
--- cvs-1.12.12.orig/src/cvsbug.in
+++ cvs-1.12.12/src/cvsbug.in
@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
     ORIGINATOR="`cat $TEMP`"
-    rm -f $TEMP
+    > $TEMP
   fi
 fi

 if [ "$ORIGINATOR" = "" ]; then
   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
   ORIGINATOR="`cat $TEMP`"
-  rm -f $TEMP
+  > $TEMP
 fi

 if [ -n "$ORGANIZATION" ]; then


Additionally, OWL has a number of additional temporary file fixes, most of which
are not security related:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/cvs/
Comment 1 Josh Bressers 2005-08-19 19:41:54 UTC 
This issue should affect RHEL2.1 and RHEL3 as well.
Comment 2 Martin Stransky 2005-08-22 15:12:39 UTC 
I'm not sure, if this patch solves any problem (what is different if you change
"rm -f" to ">" when it comes to security?) and are you sure that is this a
security issue? The only attack that I can imagine is setting the $TMPDIR
variable to any malicious value, but this can do the user himself or root only,
so I don't see a problem here... Or is there any other problem?
Comment 3 Josh Bressers 2005-08-22 15:19:42 UTC 
It could be.  It will really depend on the usage (I honestly don't know, I've
not fully investigated this).  By using rm -f, you are removing the file, which
could allow a malicious user (unlikely, but possible) to create a new file
before you do.  Depending how the contents of the file are then used, it could
let an attacker run arbitrary commands.

">" just overwrites the file, keeping permissions so is safer.
Comment 4 Martin Stransky 2005-08-23 09:07:07 UTC 
okay. Is this issue planned for async errata?
Comment 5 Red Hat Bugzilla 2005-09-06 13:41:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-756.html
Note You need to log in before you can comment on or make changes to this bug.