Bug 461477 (CVE-2008-3521) - CVE-2008-3521 jasper: temporary file creation race in jas_stream_tmpfile()
Summary: CVE-2008-3521 jasper: temporary file creation race in jas_stream_tmpfile()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2008-3521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-08 13:30 UTC by Tomas Hoger
Modified: 2019-09-29 12:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-08 13:44:53 UTC
Embargoed:


Attachments (Terms of Use)
OpenBSD patch (1.33 KB, patch)
2008-09-08 13:35 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2008-09-08 13:30:05 UTC
Marc Espie and Christian Weisgerber of the OpenBSD project reported that jas_stream_tmpfile() function used by jasper to create temporary files uses tmpnam C library function to create temporary names.  Usage of tmpnam function may result in races in temporary file creation.

OpenBSD jasper library patches:
http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/

Comment 1 Tomas Hoger 2008-09-08 13:35:29 UTC
Created attachment 316078 [details]
OpenBSD patch

Comment 2 Tomas Hoger 2008-09-08 13:44:53 UTC
Even though tmpnam is used in jas_stream_tmpfile, subsequent open is called with O_CREAT | O_EXCL flags.  Therefore, this can not be used to overwrite / create new files via symlink attack.

Attacker may possibly be able to create a file with the name returned by tmpnam before open is called, but open will fail in such case and that failure is handled gracefully by jasper.  At worst, this can result in a DoS attack against an application using jasper.  An attacker needs to win a race (not trivial), and the same result can be achieved via easier ways (fill /tmp partition), which are not prevented by mkstemp usage.  Therefore, this will not be treated as a security issue.

As for netpbm, which contains copy (part of) of the jasper code, it uses mkstemp in the recent versions (such as those shipped in Red Hat Enterprise Linux 5 and current Fedora versions).


Note You need to log in before you can comment on or make changes to this bug.