Bug 251200 (CVE-2007-3852) - CVE-2007-3852 sysstat insecure temporary file usage
Summary: CVE-2007-3852 sysstat insecure temporary file usage
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-3852
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 252295 252296 716959
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-07 18:51 UTC by Josh Bressers
Modified: 2021-02-25 18:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-21 14:22:22 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1005 0 normal SHIPPED_LIVE Low: sysstat security, bug fix, and enhancement update 2011-07-21 10:39:28 UTC

Description Josh Bressers 2007-08-07 18:51:43 UTC
Julien L. reported a bug in the way sysstat creates a temporary file during startup.

    Introduction
    ------------

    Sysstat package provides the sar and iostat commands for Linux. Sar and
    iostat enable system monitoring of disk, network, and other IO activity.

    When sysstat service starts or restarts, a part of the sysstat script
    located in the /etc/init.d directory is executed.

    /etc/init.d/sysstat (from a Red Hat EL5 distribution):
    ...
    31 rm -f /tmp/sysstat.run
    32
    33 # See how we were called.
    34 case "$1" in
    35 start)
    36 echo -n "Calling the system activity data collector (sadc): "
    37 /usr/lib/sa/sadc -F -L - && touch /tmp/sysstat.run
    38
    ...

    The temporary file "sysstat.run" is created in an insecure manner in the
    tmp directory. A simple user is abble to create a file wherever on the
    system using a symlink attack.

This flaw is only exploitable when the sysstat service is issued a "start"
command.  This is only exploitable by a local user when the system switches
runlevels (the most likely being the move from runlevel 3 to runlevel 5 during
startup).  It's also possible if an admin run "service sysstat start".
Running "service sysstat restart" will not trigger the flaw.

Comment 2 Lubomir Kundrak 2007-08-15 06:25:46 UTC
Reference to Gentoo bugzilla, contains a patch:
http://bugs.gentoo.org/show_bug.cgi?id=188808

Comment 5 errata-xmlrpc 2011-07-21 10:39:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html

Comment 6 errata-xmlrpc 2011-07-21 12:10:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html

Comment 7 Jan Lieskovsky 2011-07-21 14:21:41 UTC
Statement:

This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.


Note You need to log in before you can comment on or make changes to this bug.