Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94587 - net-im/silc-server-0.9.21 insecure temporary file creation
Summary: net-im/silc-server-0.9.21 insecure temporary file creation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2005-05-31 00:43 UTC by Romang
Modified: 2005-09-08 06:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

use O_EXCL (silcd-tmpfile.diff,499 bytes, patch)
2005-06-20 05:56 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-05-31 00:43:27 UTC

In silcd/silcd.c

258 /* Dump server statistics into a file into /tmp directory */
260 SILC_TASK_CALLBACK(dump_stats)
261 {
262   FILE *fdd;
263   char filename[256];
265   memset(filename, 0, sizeof(filename));
266   snprintf(filename, sizeof(filename) - 1, "/tmp/silcd.%d.stats", getpid());
267   fdd = fopen(filename, "w+");
268   if (!fdd)
269     return;
271 #define STAT_OUTPUT(fmt, stat) fprintf(fdd, fmt "\n", (int)stat);
273   fprintf(fdd, "SILC Server %s Statistics\n\n", silcd->server_name);
274   fprintf(fdd, "Local Stats:\n");


silc-server-0.9.21 is masked but silc-toolkit-0.9.12 not.

This code is vulnerable to symlink attack.

Comment 1 Romang 2005-06-09 01:06:44 UTC
what about this bug ?
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-09 09:35:57 UTC
It's still an Auditing bug, waiting for Tavis to push it back to Vulnerabilities :)
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-11 09:37:14 UTC
silc-toolkit package doesnt include the daemon, so it's safe...the silc-server 
does, but the only time that code is exercised is on receiving a SIGUSR1, so 
this is highly unlikely to ever be successfully exploited.

As the server is masked there wont be a glsa for this, but upstream should be 
informed and a patch applied before being unmasked.
Comment 4 Romang 2005-06-11 16:51:31 UTC

I contact upstream.

Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-20 05:56:50 UTC
Created attachment 61573 [details, diff]
use O_EXCL

something like this will do the trick. tested and working.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-24 08:12:30 UTC
Vendor responded, waiting for fixed version
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-07-18 04:45:01 UTC
Eric, any news of upstream release date ?
Comment 8 Romang 2005-07-25 00:18:17 UTC

No vendor feedback since gentoo advise.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-07-27 07:06:59 UTC
Eric: I think you can consider releasing this one, maybe resend them an email
first letting them know when you'll do it ?
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-15 09:52:19 UTC
Any news on this one? 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 08:37:33 UTC
Eric: let me know what you want to do with this one.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-01 05:22:42 UTC
Public, see URL
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-07 07:19:05 UTC
Apparently upstream is in no hurry to fix it.
net-irc: please bump with provided patch.
Comment 14 Sven Wegener gentoo-dev 2005-09-08 06:32:09 UTC
net-im/silc-server has been bumped.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-09-08 06:42:56 UTC
Many thanks, Sven.