Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 15 Aug 2014 04:24:43 -0400 (EDT)
Subject: Re: CVE request: xcfa: Insecure use of temporary files, subject to race conditions

Hash: SHA1


As mentioned in the post, the Symlink
Following composite is treated as somewhat of a special case in CVE.
This doesn't, for example, mean that all problematic uses of files in
/tmp are always covered by a single CVE ID.

>> rm /tmp/index.html

>> any existing file called /tmp/index.html will be removed regardless

This may be an issue that is typically treated as a usability problem
(or maybe a documentation problem), not a security problem. The rm
program should remove /tmp/index.html - it should not remove the
target of a /tmp/index.html symlink. (If there is a race condition
within an implementation of rm, that would not be an xcfa

Ideally, xcfa would not remove /tmp/index.html because /tmp/index.html
might be an important file unrelated to xcfa. However, there doesn't
seem to be a way to design an "attack" in the traditional sense, and
/tmp/index.html isn't a filename that would be important in typical
cases. For example, if I have a critical file named file.txt~ and a
less important file named file.txt, and I decide to modify file.txt
with emacs, then file.txt~ is overwritten with no warning. This is
typically not considered an emacs vulnerability. covers a number of Symlink Following
issues that allow overwriting files. Use CVE-2014-5254 for all of

>>         fp = fopen ("/tmp/", "w");
>>         fprintf (fp, "#!/bin/sh\n");

>>         fclose (fp);
>>         system ("chmod +x /tmp/");
>>         system ("/tmp/");

This one doesn't seem to be necessarily a Symlink Following issue. At
the instant of the fopen, /tmp/ might be a plain file
(not a symlink), owned by the attacker but with 0777 permissions. The
fopen/fprintf/fclose would succeed, and the chmod would fail. The
attacker can insert malicious code into /tmp/ in
between the fclose line and the second system line. Use CVE-2014-5255
for this.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ