Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91792 - net-analyzer/net-snmp fixproc insecure temporary file creation
Summary: net-analyzer/net-snmp fixproc insecure temporary file creation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
Depends on:
Reported: 2005-05-07 04:59 UTC by eromang
Modified: 2005-08-15 21:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description eromang 2005-05-07 04:59:08 UTC

Just take a look at /usr/bin/fixproc

Line 233 :

# it must be "shell", so execute the shell script defined in database

local ($tmpfile) = "/tmp/fix_$$";
&create_sh_script ($fix{$proc}, $tmpfile);
# return code is number divided by 256
$error_code = (system "$tmpfile") / 256;


We see that the tmp file is created with $$ value and this script is execute by the perl system command

The subfunction do only this :


sub create_sh_script
  local ($file) = pop (@_);
  local ($i) = pop (@_);

  printf (stderr "create_sh_script\n") if ($debug > 0);

  $! = $fixproc_error;
  open (file, ">"."$file") || die "$0: cannot open $file\n";
  while ( $shell_lines[$i] ne $shell_end_marker )
      printf (file "%s", $shell_lines[$i]);
  close (file);
  system "chmod +x $file";
  return file;


My knowledge in perl is not so good, but maybe a toctou or race condition could be exploited here, and permit to a basic user to run arbitrairie commands on the system ?


Reproducible: Always
Steps to Reproduce:

Actual Results:  
local ($tmpfile) = "/tmp/fix_$$"; is created without mktemp and chmod

Expected Results:  
local ($tmpfile) = "/tmp/fix_$$"; should, maybe, created with mktemp and chmod
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-07 10:11:19 UTC
Auditors please confirm.
Comment 2 Robert Paskowitz (RETIRED) gentoo-dev 2005-05-07 21:03:09 UTC
Looks like it could be a legitimate problem, but a call to mktemp from a perl script seems a bit excessive. Also, the same thing happens in do_check, so if one is to be fixed, the second should as well.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-09 23:15:34 UTC
Taviso/Tigger/Solar please advise.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-11 15:12:58 UTC
Confirmed, insecure tmp file handling, with a race condition for arbitrary command execution.

File::Temp should be used instead of a pid based template.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-11 21:17:13 UTC
Max will you relay this to upstream?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-05-15 08:32:15 UTC
Or maybe the reporter (eromang) wants to report upstream to get the credits ?
Comment 7 Romang 2005-05-17 01:13:15 UTC

OK i have contact upstream.

Comment 8 Romang 2005-05-17 23:26:31 UTC

Take a look on this :

* Tue Mar 16 2004 -
  - use mktemp in fixproc (#36103)

But net-snmp-5.2.1 still not corrected ....

It seem that the upstream doesn't care about this bug.

Comment 9 Aaron Walker (RETIRED) gentoo-dev 2005-05-18 08:30:53 UTC
5.2.1-r1 is in CVS. x86 stable. CC'd archs please stable.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-05-18 10:17:38 UTC
stable on ppc64
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-18 10:27:25 UTC
Stable on ppc.
Comment 12 Jan Brinkmann (RETIRED) gentoo-dev 2005-05-18 10:38:12 UTC
stable on amd64
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2005-05-18 11:51:39 UTC
stable on hppa
Comment 14 Jason Wever (RETIRED) gentoo-dev 2005-05-18 14:49:22 UTC
Sparcky SPARC and the Stable Bunch
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-20 11:36:06 UTC
Stable on alpha + ia64.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 14:16:16 UTC
Ready for GLSA vote
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 02:05:22 UTC
Tool is administration-related and in path, I vote YES
Comment 18 Matthias Geerdsen (RETIRED) gentoo-dev 2005-05-22 07:27:35 UTC
I agree with koon, there should be a GLSA.
Comment 19 Romang 2005-05-22 07:39:19 UTC

I agree also, if a GLSA is out, maybe upstream gonna correct the vulnerability :)

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-23 13:42:24 UTC
GLSA 200505-18  
arm, mips please remember to mark stable to benifit from the GLSA. 
Comment 21 Romang 2005-05-23 14:10:04 UTC

Updates from upstream :

Also, published on :

Comment 22 Hardave Riar (RETIRED) gentoo-dev 2005-07-02 19:55:29 UTC
Stable on mips.