Red Hat Bugzilla – Bug 223233
CVE-2007-0007 gnucash happily overwrites files at /tmp
Last modified: 2014-03-16 23:04:57 EDT
Description of problem:
gnucash ignores env vars TMP TMPDIR TEMP TEMPDIR and happily
opens with modes O_WRONLY|O_CREAT|O_TRUNC (forgets O_EXCL),
allowing easy overwrite of gnucash user's files
in case of many users on the same system
or some evil program having access to /tmp.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. start gnucash
19621 17:56:45.850053 open("/tmp/gnucash.trace",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000034>
19621 17:56:45.850143 open("/tmp/qof.trace",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EISDIR (Is a directory) <0.000028>
19621 17:56:45.850271 open("/tmp/qof.trace.19621",
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 19 <0.000200>
using my temp dirs or flag O_EXCL to open().
I'm giving this CVE-2007-0007. Sami, do you mind if I share this information
with the Vendor Security mailing list? It is a group of trusted vendors who
would appreciate a notification of this flaw. Additionally do you have a date
in mind to make this flaw public? If you don't care, I'd be happy to work one
out with the other affected vendors.
Thanks for the report.
You can do the CVE dance and share the info.
You can work out the publication if you want to...
but if you forget to do it, I do it on Feb 19 2007.
If you need to use my email, email@example.com
is for that purpose, let's use this bugzilla email for bugzilla.
This flaw is now public:
gnucash-2.0.5-1.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.