Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Jun 2014 12:44:34 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: "OSS Security List" <oss-security@...ts.openwall.com>
Subject: CVE request: multiple /tmp races in ppc64-diag

Just quoting from our bug report:

As noted in the SUSE bug report, numerous /tmp race conditions exist in ppc64-diag, in particular:

rtas_errd/diag_support.c:233:   char command[]="/usr/bin/find /proc/device-tree -name status -print > /tmp/get_dt_files";
rtas_errd/diag_support.c:241:   fp1 = fopen("/tmp/get_dt_files", "r");
rtas_errd/prrn_hotplug:8:TMPFILE=`mktemp -p /tmp`
scripts/ppc64_diag_mkrsrc:126:mkdir "/tmp/diagSEsnap", 0775;
scripts/ppc64_diag_mkrsrc:127:$general_eed_file = "/tmp/diagSEsnap/snapH.tar.gz";

In the case of rtas_errd/prrn_hotplug, mktemp is used but is assumed to have succeeded; there is no check for the return value.

mktemp should probably be used properly in all of these.  I don't know if the data in /tmp/diagSEsnap is sensitive or not, but if it is, the permissions on that directory should probably be tightened up.

I think a single CVE should suffice for this.  The above is from ppc64-diag-2.6.1.

Thanks.

References:

https://bugzilla.novell.com/show_bug.cgi?id=882667
https://bugzilla.redhat.com/show_bug.cgi?id=1109371


-- 
Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.