Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91792 - net-analyzer/net-snmp fixproc insecure temporary file creation
Summary: net-analyzer/net-snmp fixproc insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-07 04:59 UTC by eromang
Modified: 2005-08-15 21:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description eromang 2005-05-07 04:59:08 UTC
Hello,

Just take a look at /usr/bin/fixproc

Line 233 :

# it must be "shell", so execute the shell script defined in database

local ($tmpfile) = "/tmp/fix_$$";
 	
&create_sh_script ($fix{$proc}, $tmpfile);
 
# return code is number divided by 256
$error_code = (system "$tmpfile") / 256;

-----------------------------------------

We see that the tmp file is created with $$ value and this script is execute by the perl system command

The subfunction do only this :

-------------------------------------

sub create_sh_script
{
  local ($file) = pop (@_);
  local ($i) = pop (@_);

  printf (stderr "create_sh_script\n") if ($debug > 0);

  $! = $fixproc_error;
  open (file, ">"."$file") || die "$0: cannot open $file\n";
  while ( $shell_lines[$i] ne $shell_end_marker )
    {
      printf (file "%s", $shell_lines[$i]);
      $i++;
    }
  close (file);
  system "chmod +x $file";
  return file;
}

----------------------------------------

My knowledge in perl is not so good, but maybe a toctou or race condition could be exploited here, and permit to a basic user to run arbitrairie commands on the system ?

Regards?

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
local ($tmpfile) = "/tmp/fix_$$"; is created without mktemp and chmod

Expected Results:  
local ($tmpfile) = "/tmp/fix_$$"; should, maybe, created with mktemp and chmod
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-07 10:11:19 UTC
Auditors please confirm.
Comment 2 Robert Paskowitz (RETIRED) gentoo-dev 2005-05-07 21:03:09 UTC
Looks like it could be a legitimate problem, but a call to mktemp from a perl script seems a bit excessive. Also, the same thing happens in do_check, so if one is to be fixed, the second should as well.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-09 23:15:34 UTC
Taviso/Tigger/Solar please advise.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-11 15:12:58 UTC
Confirmed, insecure tmp file handling, with a race condition for arbitrary command execution.

File::Temp should be used instead of a pid based template.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-11 21:17:13 UTC
Max will you relay this to upstream?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-05-15 08:32:15 UTC
Or maybe the reporter (eromang) wants to report upstream to get the credits ?
Comment 7 Romang 2005-05-17 01:13:15 UTC
Hello,

OK i have contact upstream.

http://sourceforge.net/tracker/index.php?func=detail&aid=1203376&group_id=12694&atid=112694

Regards.
Comment 8 Romang 2005-05-17 23:26:31 UTC
Hello,

Take a look on this :

http://rpmfind.net/linux/RPM/suse/9.1/i386/suse/i586/net-snmp-5.1-80.i586.html

* Tue Mar 16 2004 - ro@suse.de
  - use mktemp in fixproc (#36103)

But net-snmp-5.2.1 still not corrected ....

It seem that the upstream doesn't care about this bug.

Regards.
Comment 9 Aaron Walker (RETIRED) gentoo-dev 2005-05-18 08:30:53 UTC
5.2.1-r1 is in CVS. x86 stable. CC'd archs please stable.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-05-18 10:17:38 UTC
stable on ppc64
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-18 10:27:25 UTC
Stable on ppc.
Comment 12 Jan Brinkmann (RETIRED) gentoo-dev 2005-05-18 10:38:12 UTC
stable on amd64
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2005-05-18 11:51:39 UTC
stable on hppa
Comment 14 Jason Wever (RETIRED) gentoo-dev 2005-05-18 14:49:22 UTC
Sparcky SPARC and the Stable Bunch
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-20 11:36:06 UTC
Stable on alpha + ia64.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 14:16:16 UTC
Ready for GLSA vote
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 02:05:22 UTC
Tool is administration-related and in path, I vote YES
Comment 18 Matthias Geerdsen (RETIRED) gentoo-dev 2005-05-22 07:27:35 UTC
I agree with koon, there should be a GLSA.
Comment 19 Romang 2005-05-22 07:39:19 UTC
Hello,

I agree also, if a GLSA is out, maybe upstream gonna correct the vulnerability :)

Regards.
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-23 13:42:24 UTC
GLSA 200505-18  
 
arm, mips please remember to mark stable to benifit from the GLSA. 
Comment 21 Romang 2005-05-23 14:10:04 UTC
Hello,

Updates from upstream :

https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1203376&group_id=12694

Also, published on :

http://www.zataz.net/adviso/net-snmp-05182005.txt

Regards.
Comment 22 Hardave Riar (RETIRED) gentoo-dev 2005-07-02 19:55:29 UTC
Stable on mips.