Bug 461477 - (CVE-2008-3521) CVE-2008-3521 jasper: temporary file creation race in jas_stream_tmpfile()
CVE-2008-3521 jasper: temporary file creation race in jas_stream_tmpfile()
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=vendor-sec,reported=20080519,p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-08 09:30 EDT by Tomas Hoger
Modified: 2009-03-27 05:24 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-08 09:44:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
OpenBSD patch (1.33 KB, patch)
2008-09-08 09:35 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-09-08 09:30:05 EDT
Marc Espie and Christian Weisgerber of the OpenBSD project reported that jas_stream_tmpfile() function used by jasper to create temporary files uses tmpnam C library function to create temporary names.  Usage of tmpnam function may result in races in temporary file creation.

OpenBSD jasper library patches:
http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/
Comment 1 Tomas Hoger 2008-09-08 09:35:29 EDT
Created attachment 316078 [details]
OpenBSD patch
Comment 2 Tomas Hoger 2008-09-08 09:44:53 EDT
Even though tmpnam is used in jas_stream_tmpfile, subsequent open is called with O_CREAT | O_EXCL flags.  Therefore, this can not be used to overwrite / create new files via symlink attack.

Attacker may possibly be able to create a file with the name returned by tmpnam before open is called, but open will fail in such case and that failure is handled gracefully by jasper.  At worst, this can result in a DoS attack against an application using jasper.  An attacker needs to win a race (not trivial), and the same result can be achieved via easier ways (fill /tmp partition), which are not prevented by mkstemp usage.  Therefore, this will not be treated as a security issue.

As for netpbm, which contains copy (part of) of the jasper code, it uses mkstemp in the recent versions (such as those shipped in Red Hat Enterprise Linux 5 and current Fedora versions).

Note You need to log in before you can comment on or make changes to this bug.