Red Hat Bugzilla – Bug 25229
sort uses predictable temporary filenames
Last modified: 2007-03-26 23:39:59 EDT
RHL7 textutils, as well as 2.0.11 from Rawhide, create temporary filenames in a
See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:13.sort.asc for FreeBSD
advisory and ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch for a patch.
The patch isn't 100% applicable but the symptoms are similar.
A part of the affected code:
sprintf (name, "%s%ssort%lu.%.5lu", temp_dir, slash, pid, seq);
/* Make sure the file name is safe for an 8.3 filesystem. */
sprintf (name, "%s%ss%.5d%.2d.%.3d", temp_dir, slash,
(int) (pid % 100000), (int) (seq / 1000 % 100),
(int) (seq % 1000));
[no mkstemp is used]
The FreeBSD patch is not just not applicable, it's nonsense.
it uses mkstemp() to get the file name, then closes the fd and makes use of
the name later.
An attacker can create a new symlink in the time between the two.
I'd say their patch actually adds to the problem - an attacker just needs to
scan for temp files generated by sort, store the name, create a symlink with
the same name as soon as the file disappears for the first time - no need to
even guess the name.
Working on a proper fix...
Created attachment 8440 [details]
Updated packages built and waiting for QA approval.
On a second thought, the FreeBSD patch doesn't delete the file, so
an attacker can't create a symlink in its place.
I still prefer our variant though.
This was fixed a while ago