Bug 461501 - (CVE-2008-3927) CVE-2008-3927 tiger: insecure temporary file use in genmsgidx
CVE-2008-3927 tiger: insecure temporary file use in genmsgidx
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20080824,reported=2...
: Security
Depends On: 665464
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-08 12:15 EDT by Tomas Hoger
Modified: 2016-03-04 05:56 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-10 18:08:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch used by Debian maintainer (987 bytes, patch)
2008-09-08 12:20 EDT, Tomas Hoger
no flags Details | Diff
Patch using mktemp (544 bytes, patch)
2008-09-08 12:22 EDT, Tomas Hoger
no flags Details | Diff
Patch that completely removes temporary file usage (407 bytes, patch)
2008-09-08 12:29 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-09-08 12:15:27 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3927 to the following vulnerability:

genmsgidx in Tiger 3.2.2 allows local users to overwrite or delete arbitrary files via a symlink attack on temporary files.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496415
http://secunia.com/advisories/31659
Comment 1 Tomas Hoger 2008-09-08 12:18:40 EDT
Shipped in Fedora as /usr/lib/tiger/util/genmsgidx

According to the Debian bug, this script is not needed in runtime, only in packages built time.  If that is the case, removing it completely may be a solution.
Comment 2 Tomas Hoger 2008-09-08 12:20:59 EDT
Created attachment 316103 [details]
Patch used by Debian maintainer

Uses tempfile from debianutils and fallback to previous insecure way when it's not available.
Comment 3 Tomas Hoger 2008-09-08 12:22:17 EDT
Created attachment 316104 [details]
Patch using mktemp
Comment 4 Tomas Hoger 2008-09-08 12:29:05 EDT
Created attachment 316105 [details]
Patch that completely removes temporary file usage

It should be possibly to do the same functionality without need of temporary file.

Actually, if we only care about Fedora, we can assume that [ accepts -x option and skip test completely.  bash version of [ seems to support -x even in version shipped in Red Hat Enterprise Linux 2.1, coreutils version of [ seems to support it as of Red Hat Enterprise Linux 4.

If we that script to work on older systems, I'd probably go with this patch not using any temporary file.
Comment 5 Vincent Danen 2010-12-23 17:42:48 EST
Wow.  This was reported two years ago, has a working patch, and it was never fixed.
Comment 6 Vincent Danen 2010-12-23 17:45:05 EST
Created tiger tracking bugs for this issue

Affects: fedora-all [bug 665464]
Comment 7 Vincent Danen 2012-09-10 18:08:11 EDT
This file seems to no longer exist in any version of tigervnc that we ship.
Comment 8 Tomas Hoger 2012-09-10 18:16:08 EDT
(In reply to comment #7)
> This file seems to no longer exist in any version of tigervnc that we ship.

Note that this bug is for tiger (Security auditing on UNIX systems), not tigervnc.  It seem tiger was removed form Fedora before F15.
Comment 9 Vincent Danen 2012-09-10 18:50:41 EDT
Hah, don't know why I was looking at tigervnc.  The file doesn't exist anywhere in Fedora anyways.  Thanks for the double-check.

Note You need to log in before you can comment on or make changes to this bug.