Ubuntu
spread package

insecure socket file creation

Bug #44171 reported by nodata
254
Affects Status Importance Assigned to Milestone
spread (Ubuntu)
Fix Released
Low
Jérémie Corbier

Bug Description

Binary package hint: spread

On start, spread creates a file /tmp/PORTNUMBER where PORTNUMBER is 4803 by default.

If an existing file named /tmp/PORTNUMBER exists, it will be deleted before a socket with the same name is created.

See original description

CVE References

Revision history for this message
Martin Pitt (pitti) wrote :

For the record: forwarded to upstream and to vendor-sec.

Revision history for this message
Martin Pitt (pitti) wrote :

Opening bug; we do not officially support spread, and nobody on vendor-sec requested an embargo.

Revision history for this message
Martin Pitt (pitti) wrote :

This is indeed pretty low impact. It does not allow a symlink attack since the file is deleted before usage, and the small race between unlink() and bind() does not hurt too much either since bind() will just fail if the file already exists. So there are two minor consequences:

 * It removes a file /tmp/<port> which might just happen to be a file which you still need
 * It opens a small race condition for a local DoS.

Changed in spread:
importance: Medium → Low
status: Unconfirmed → Confirmed
Revision history for this message
Jérémie Corbier (jcorbier) wrote :

New package fixing this issue uploaded to edgy.

Changed in spread:
status: Confirmed → Fix Committed
Revision history for this message
Jérémie Corbier (jcorbier) wrote :

spread (3.17.3-4ubuntu1) edgy; urgency=low

  * Merge from debian unstable:
    -> /var/run/spread created by the init script if it does not exist.

spread (3.17.3-4) unstable; urgency=high

  * CVE-2006-3118: insecure temporary file handling (Closes: #375617)
  * Build depends now on dpatch
  * Update standards version to 3.7.2

 -- Jeremie Corbier <email address hidden> Fri, 22 Sep 2006 19:49:11 -0700

Changed in spread:
assignee: nobody → jcorbier
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.