This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 25229 - sort uses predictable temporary filenames
sort uses predictable temporary filenames
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: textutils (Show other bugs)
7.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-29 17:33 EST by Pekka Savola
Modified: 2007-03-26 23:39 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-31 05:33:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
real fix (3.88 KB, patch)
2001-01-29 18:17 EST, Bernhard Rosenkraenzer
no flags Details | Diff

  None (edit)
Description Pekka Savola 2001-01-29 17:33:32 EST
RHL7 textutils, as well as 2.0.11 from Rawhide, create temporary filenames in a 
predictable fashion.

See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:13.sort.asc for FreeBSD
advisory and ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch for a patch.

The patch isn't 100% applicable but the symptoms are similar.

A part of the affected code:
---
  if (long_file_names)
    sprintf (name, "%s%ssort%lu.%.5lu", temp_dir, slash, pid, seq);
  else
    { 
      /* Make sure the file name is safe for an 8.3 filesystem.  */
      sprintf (name, "%s%ss%.5d%.2d.%.3d", temp_dir, slash,
               (int) (pid % 100000), (int) (seq / 1000 % 100),
               (int) (seq % 1000));
    }

---
[no mkstemp is used]
Comment 1 Bernhard Rosenkraenzer 2001-01-29 17:49:34 EST
The FreeBSD patch is not just not applicable, it's nonsense.
it uses mkstemp() to get the file name, then closes the fd and makes use of 
the name later.
An attacker can create a new symlink in the time between the two.
I'd say their patch actually adds to the problem - an attacker just needs to 
scan for temp files generated by sort, store the name, create a symlink with 
the same name as soon as the file disappears for the first time - no need to 
even guess the name.

Working on a proper fix...
Comment 2 Bernhard Rosenkraenzer 2001-01-29 18:17:50 EST
Created attachment 8440 [details]
real fix
Comment 3 Bernhard Rosenkraenzer 2001-01-29 18:23:45 EST
Updated packages built and waiting for QA approval.
Comment 4 Bernhard Rosenkraenzer 2001-01-31 05:33:42 EST
On a second thought, the FreeBSD patch doesn't delete the file, so
an attacker can't create a symlink in its place.
I still prefer our variant though.
Comment 5 Bernhard Rosenkraenzer 2001-05-22 16:36:27 EDT
This was fixed a while ago

Note You need to log in before you can comment on or make changes to this bug.