Bug 251200 - (CVE-2007-3852) CVE-2007-3852 sysstat insecure temporary file usage
CVE-2007-3852 sysstat insecure temporary file usage
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20070810,reported=20070803,sou...
: Security
Depends On: 252295 252296 716959
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-07 14:51 EDT by Josh Bressers
Modified: 2016-03-04 06:13 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 10:22:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-08-07 14:51:43 EDT
Julien L. reported a bug in the way sysstat creates a temporary file during startup.

    Introduction
    ------------

    Sysstat package provides the sar and iostat commands for Linux. Sar and
    iostat enable system monitoring of disk, network, and other IO activity.

    When sysstat service starts or restarts, a part of the sysstat script
    located in the /etc/init.d directory is executed.

    /etc/init.d/sysstat (from a Red Hat EL5 distribution):
    ...
    31 rm -f /tmp/sysstat.run
    32
    33 # See how we were called.
    34 case "$1" in
    35 start)
    36 echo -n "Calling the system activity data collector (sadc): "
    37 /usr/lib/sa/sadc -F -L - && touch /tmp/sysstat.run
    38
    ...

    The temporary file "sysstat.run" is created in an insecure manner in the
    tmp directory. A simple user is abble to create a file wherever on the
    system using a symlink attack.

This flaw is only exploitable when the sysstat service is issued a "start"
command.  This is only exploitable by a local user when the system switches
runlevels (the most likely being the move from runlevel 3 to runlevel 5 during
startup).  It's also possible if an admin run "service sysstat start".
Running "service sysstat restart" will not trigger the flaw.
Comment 2 Lubomir Kundrak 2007-08-15 02:25:46 EDT
Reference to Gentoo bugzilla, contains a patch:
http://bugs.gentoo.org/show_bug.cgi?id=188808
Comment 5 errata-xmlrpc 2011-07-21 06:39:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html
Comment 6 errata-xmlrpc 2011-07-21 08:10:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html
Comment 7 Jan Lieskovsky 2011-07-21 10:21:41 EDT
Statement:

This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.

Note You need to log in before you can comment on or make changes to this bug.