Bug 510024 - (CVE-2009-1893) CVE-2009-1893 dhcp: insecure temporary file use in the dhcpd init script
CVE-2009-1893 dhcp: insecure temporary file use in the dhcpd init script
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 188575 507734
  Show dependency treegraph
Reported: 2009-07-07 09:19 EDT by Tomas Hoger
Modified: 2016-03-04 07:12 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-21 12:50:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-07-07 09:19:28 EDT
Robert Vogelgesang reported that dhcpd init script as used in dhcp packages in Red Hat Enterprise Linux 3 does not create temporary files safely inside configtest() function.  Temporary file created by the script has predictable name (using script's process id), allowing local attacker to perform a symlink attack.  When init script is called with configtest, restart or reload argument, arbitrary file may be overwritten by the output of 'dhcpd -t' (dhcpd.conf syntax check).
Comment 1 Tomas Hoger 2009-07-07 09:22:42 EDT
This issue did not affect dhcp packages in Red Hat Enterprise Linux 4 and 5, and current Fedora versions (9, 10, 11).
Comment 2 Josh Bressers 2009-07-14 13:42:32 EDT
Opening bug
Comment 4 errata-xmlrpc 2009-07-14 15:32:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1154 https://rhn.redhat.com/errata/RHSA-2009-1154.html
Comment 5 Jan Lieskovsky 2009-07-18 05:55:44 EDT
MITRE's CVE-2009-1893 entry:

The configtest function in the Red Hat dhcpd init script for DHCP
3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to
overwrite arbitrary files via a symlink attack on an unspecified
temporary file, related to the "dhcpd -t" command.


Note You need to log in before you can comment on or make changes to this bug.