Bug 25229 - sort uses predictable temporary filenames
Summary: sort uses predictable temporary filenames
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: textutils   
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-01-29 22:33 UTC by Pekka Savola
Modified: 2007-03-27 03:39 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-31 10:33:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
real fix (3.88 KB, patch)
2001-01-29 23:17 UTC, Bernhard Rosenkraenzer
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:009 high SHIPPED_LIVE : Updated textutils packages available 2001-01-29 05:00:00 UTC

Description Pekka Savola 2001-01-29 22:33:32 UTC
RHL7 textutils, as well as 2.0.11 from Rawhide, create temporary filenames in a 
predictable fashion.

See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:13.sort.asc for FreeBSD
advisory and ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch for a patch.

The patch isn't 100% applicable but the symptoms are similar.

A part of the affected code:
  if (long_file_names)
    sprintf (name, "%s%ssort%lu.%.5lu", temp_dir, slash, pid, seq);
      /* Make sure the file name is safe for an 8.3 filesystem.  */
      sprintf (name, "%s%ss%.5d%.2d.%.3d", temp_dir, slash,
               (int) (pid % 100000), (int) (seq / 1000 % 100),
               (int) (seq % 1000));

[no mkstemp is used]

Comment 1 Bernhard Rosenkraenzer 2001-01-29 22:49:34 UTC
The FreeBSD patch is not just not applicable, it's nonsense.
it uses mkstemp() to get the file name, then closes the fd and makes use of 
the name later.
An attacker can create a new symlink in the time between the two.
I'd say their patch actually adds to the problem - an attacker just needs to 
scan for temp files generated by sort, store the name, create a symlink with 
the same name as soon as the file disappears for the first time - no need to 
even guess the name.

Working on a proper fix...

Comment 2 Bernhard Rosenkraenzer 2001-01-29 23:17:50 UTC
Created attachment 8440 [details]
real fix

Comment 3 Bernhard Rosenkraenzer 2001-01-29 23:23:45 UTC
Updated packages built and waiting for QA approval.

Comment 4 Bernhard Rosenkraenzer 2001-01-31 10:33:42 UTC
On a second thought, the FreeBSD patch doesn't delete the file, so
an attacker can't create a symlink in its place.
I still prefer our variant though.

Comment 5 Bernhard Rosenkraenzer 2001-05-22 20:36:27 UTC
This was fixed a while ago

Note You need to log in before you can comment on or make changes to this bug.