Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file. http://www.zataz.net/adviso/shtool-05252005.txt nmap contains shtool in its source.
This issue should also affect RHEL2.1 and RHEL3
shtool is only used in the build process. So a user can only be compromised, when he rebuilds nmap..
Correct, please just keep this fix on the shelf for the next nmap update.
Red Hat Enterprise Linux 2.1 and 3 reached end of life already. Red Hat Enterprise Linux 4 is in the Production 3 phase of its life cycle: https://access.redhat.com/support/policy/updates/errata/ There is no plan to address this flaw in Red Hat Enterprise Linux 4, as it does not affect binary nmap packages, and is only a problem during the package rebuilds.
Created attachment 510494 [details] Upstream fix Upstream change extracted from 2.0.1 -> 2.0.2 diff. Noted for posterity.
I have double-checked shtool version bundled with nmap sources in Red Hat Enterprise Linux 3 and 4. That version did not contain relevant code for creating temporary files, and hence were not affected by this problem. This issue was addressed in the shtool version embedded with PHP versions in Red Hat Enterprise Linux 3 and 4: https://www.redhat.com/security/data/cve/CVE-2005-1751.html Upstream PHP bug indicates affected code was not used during PHP build: https://bugs.php.net/bug.php?id=33150 The shtool version containing this bug is part of openldap sources (RHEL-4 and compat in RHEL-5) and rrdtool sources (RHEL-6), but the affected code is not used. Other components embedding shtool shipped in Red Hat Enterprise Linux contain patched upstream shtool version (php, openldap, pth, nmap in RHEL-5 and RHEL-6, and lzo, lzop, uuid in RHEL-6).