Bug 236586 - CVE-2007-2030 /tmp race in lha
CVE-2007-2030 /tmp race in lha
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: lha (Show other bugs)
5
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Smetana
https://bugzilla.novell.com/show_bug....
impact=low,source=opensuse,reported=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-16 12:21 EDT by Lubomir Kundrak
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-09 04:41:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
New patch (3.06 KB, patch)
2007-06-05 09:18 EDT, Tomas Smetana
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2007-04-16 12:21:57 EDT
+++ This bug was initially created as a clone of Bug #236585 +++

Description of problem:

lha doesn't open temporary files exclusively, which makes it possible for an
attacker to conduct a time-dependent attack by creating the file in advance.

Version-Release number of selected component (if applicable):

        Affects: RHEL2.1
        Affects: RHEL3
        Affects: RHEL4
        Affects: FC5

How reproducible:

Time-dependent race.

Additional info:

The patch also incorporates some trailing-NUL things from SUSE's
security review patch. I do not know why weren't they unlike some other
fixes from that patch integrated in our packages. It might be possible
that they are not needed. The patch is basically a polished diff between
SUSE and FC-5 lha.

-- Additional comment from lkundrak@redhat.com on 2007-04-16 12:20 EST --
Created an attachment (id=152702)
Patch for lha /tmp race & others, applies to FC5
Comment 1 Tomas Smetana 2007-06-05 09:18:11 EDT
Created attachment 156216 [details]
New patch

One of the patches already present in FC-5 lha replaces mktemp call with
mkstemp which should solve the problem. The patch proposed above won't work
with the one already applied. Here is the fixed version that should solve the
issue without conflicting with previous patches.

Note You need to log in before you can comment on or make changes to this bug.