This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 251200 - (CVE-2007-3852) CVE-2007-3852 sysstat insecure temporary file usage
CVE-2007-3852 sysstat insecure temporary file usage
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 252295 252296 716959
  Show dependency treegraph
Reported: 2007-08-07 14:51 EDT by Josh Bressers
Modified: 2016-03-04 06:13 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-07-21 10:22:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-08-07 14:51:43 EDT
Julien L. reported a bug in the way sysstat creates a temporary file during startup.


    Sysstat package provides the sar and iostat commands for Linux. Sar and
    iostat enable system monitoring of disk, network, and other IO activity.

    When sysstat service starts or restarts, a part of the sysstat script
    located in the /etc/init.d directory is executed.

    /etc/init.d/sysstat (from a Red Hat EL5 distribution):
    31 rm -f /tmp/
    33 # See how we were called.
    34 case "$1" in
    35 start)
    36 echo -n "Calling the system activity data collector (sadc): "
    37 /usr/lib/sa/sadc -F -L - && touch /tmp/

    The temporary file "" is created in an insecure manner in the
    tmp directory. A simple user is abble to create a file wherever on the
    system using a symlink attack.

This flaw is only exploitable when the sysstat service is issued a "start"
command.  This is only exploitable by a local user when the system switches
runlevels (the most likely being the move from runlevel 3 to runlevel 5 during
startup).  It's also possible if an admin run "service sysstat start".
Running "service sysstat restart" will not trigger the flaw.
Comment 2 Lubomir Kundrak 2007-08-15 02:25:46 EDT
Reference to Gentoo bugzilla, contains a patch:
Comment 5 errata-xmlrpc 2011-07-21 06:39:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005
Comment 6 errata-xmlrpc 2011-07-21 08:10:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005
Comment 7 Jan Lieskovsky 2011-07-21 10:21:41 EDT

This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.

Note You need to log in before you can comment on or make changes to this bug.