Bug 219279 - CVE-2006-6698 GConfd uses non-unique directory name in /tmp leading to local DoS
CVE-2006-6698 GConfd uses non-unique directory name in /tmp leading to local DoS
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: GConf2 (Show other bugs)
4.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
source=redhat;reported=2006-12-12;imp...
: Security
Depends On:
Blocks: CVE-2006-6698 219281
  Show dependency treegraph
 
Reported: 2006-12-12 08:13 EST by Lubomir Kundrak
Modified: 2007-11-16 20:14 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-21 14:04:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 141138 None None None Never
GNOME Desktop 167030 None None None Never

  None (edit)
Description Lubomir Kundrak 2006-12-12 08:13:03 EST
Description of problem:

GConf uses the directory /tmp/gconfd-$LOGNAME for storing a lock file (and
possibly some other stuff -- I do not know, I know nearly nothing about GConf)
even if GCONF_GLOBAL_LOCKS environment is not set. As the /tmp directory is
sticky, it is possible for any user to create the directory with this name prior
to first login of a new user, effectively preventing it from using GConf
clients. The impact of this is quite serious, as the user can't use most of
Gnome, Evolution, etc. and it's quite hard for a non-technican user to work it
around.

Additionaly, I think any temporary directory and file should disappear when
application terminates. It is obvious that it is not a good practice not to do so.

Version-Release number of selected component (if applicable):

At least FC5 and FC6's GConf.

How reproducible:

Before user logs in/launches GConfd for the first time. Some systems erase /tmp
at each startup or use memory-based filesystem for it. In that case the problem
is reproducible after each startup.

Steps to Reproduce:

This migh be obvious enough
while (true); do touch /tmp/gconfd-$(tail -n1 /etc/passwd |awk -F: '{print
$1}'); done
Comment 1 Lubomir Kundrak 2006-12-22 08:18:20 EST
This corresponds to following Gnome bugzilla entries:
http://bugzilla.gnome.org/show_bug.cgi?id=167030
http://bugzilla.gnome.org/show_bug.cgi?id=141138
Comment 2 Lubomir Kundrak 2007-01-02 04:24:58 EST
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404743
Comment 3 Ray Strode [halfline] 2007-06-21 14:04:12 EDT
Closing this bug WONTFIX.

See the explanation in bug 219281 for more details.


Note You need to log in before you can comment on or make changes to this bug.