25229 – sort uses predictable temporary filenames

Bug 25229 - sort uses predictable temporary filenames

Summary: sort uses predictable temporary filenames

Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	textutils
Sub Component:	(Show other bugs)
Version:	7.0
Hardware:	i386 Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Bernhard Rosenkraenzer
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Keywords:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-01-29 22:33 UTC by Pekka Savola
Modified:	2007-03-27 03:39 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-01-31 10:33:45 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
real fix (3.88 KB, patch) 2001-01-29 23:17 UTC, Bernhard Rosenkraenzer	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2001:009	high	SHIPPED_LIVE	: Updated textutils packages available	2001-01-29 05:00:00 UTC

Description Pekka Savola 2001-01-29 22:33:32 UTC

RHL7 textutils, as well as 2.0.11 from Rawhide, create temporary filenames in a 
predictable fashion.

See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:13.sort.asc for FreeBSD
advisory and ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch for a patch.

The patch isn't 100% applicable but the symptoms are similar.

A part of the affected code:
---
  if (long_file_names)
    sprintf (name, "%s%ssort%lu.%.5lu", temp_dir, slash, pid, seq);
  else
    { 
      /* Make sure the file name is safe for an 8.3 filesystem.  */
      sprintf (name, "%s%ss%.5d%.2d.%.3d", temp_dir, slash,
               (int) (pid % 100000), (int) (seq / 1000 % 100),
               (int) (seq % 1000));
    }

---
[no mkstemp is used]

Comment 1 Bernhard Rosenkraenzer 2001-01-29 22:49:34 UTC

The FreeBSD patch is not just not applicable, it's nonsense.
it uses mkstemp() to get the file name, then closes the fd and makes use of 
the name later.
An attacker can create a new symlink in the time between the two.
I'd say their patch actually adds to the problem - an attacker just needs to 
scan for temp files generated by sort, store the name, create a symlink with 
the same name as soon as the file disappears for the first time - no need to 
even guess the name.

Working on a proper fix...

Comment 2 Bernhard Rosenkraenzer 2001-01-29 23:17:50 UTC

Created attachment 8440 [details]
real fix

Comment 3 Bernhard Rosenkraenzer 2001-01-29 23:23:45 UTC

Updated packages built and waiting for QA approval.

Comment 4 Bernhard Rosenkraenzer 2001-01-31 10:33:42 UTC

On a second thought, the FreeBSD patch doesn't delete the file, so
an attacker can't create a symlink in its place.
I still prefer our variant though.

Comment 5 Bernhard Rosenkraenzer 2001-05-22 20:36:27 UTC

This was fixed a while ago

Note You need to log in before you can comment on or make changes to this bug.