Bug 223233 - (CVE-2007-0007) CVE-2007-0007 gnucash happily overwrites files at /tmp
CVE-2007-0007 gnucash happily overwrites files at /tmp
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: gnucash (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-18 11:09 EST by Sami Farin
Modified: 2014-03-16 23:04 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-27 12:37:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sami Farin 2007-01-18 11:09:15 EST
Description of problem:
gnucash ignores env vars TMP TMPDIR TEMP TEMPDIR and happily
opens with modes O_WRONLY|O_CREAT|O_TRUNC (forgets O_EXCL),
allowing easy overwrite of gnucash user's files
in case of many users on the same system
or some evil program having access to /tmp.

Version-Release number of selected component (if applicable):
2.0.4-1

How reproducible:
always

Steps to Reproduce:
1. start gnucash
2.
3.
  
Actual results:
19621 17:56:45.850053 open("/tmp/gnucash.trace",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000034>
19621 17:56:45.850143 open("/tmp/qof.trace",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000028>
19621 17:56:45.850271 open("/tmp/qof.trace.19621",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 19 <0.000200>


Expected results:
using my temp dirs or flag O_EXCL to open().

Additional info:
Comment 1 Josh Bressers 2007-01-18 13:45:18 EST
I'm giving this CVE-2007-0007.  Sami, do you mind if I share this information
with the Vendor Security mailing list?  It is a group of trusted vendors who
would appreciate a notification of this flaw.  Additionally do you have a date
in mind to make this flaw public?  If you don't care, I'd be happy to work one
out with the other affected vendors.

Thanks for the report.
Comment 2 Sami Farin 2007-01-18 15:58:13 EST
You can do the CVE dance and share the info.

You can work out the publication if you want to...
but if you forget to do it, I do it on Feb 19 2007.

If you need to use my email, safari-fedora@safari.iki.fi
is for that purpose, let's use this bugzilla email for bugzilla.
Comment 4 Josh Bressers 2007-02-19 12:30:11 EST
This flaw is now public:
http://secunia.com/advisories/24225/
Comment 5 Fedora Update System 2007-02-19 13:41:50 EST
gnucash-2.0.5-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 6 Fedora Update System 2007-02-27 11:49:19 EST
gnucash-2.0.5-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.