insecure socket file creation
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | spread (Ubuntu) |
Low
|
Jérémie Corbier | ||
Bug Description
Binary package hint: spread
On start, spread creates a file /tmp/PORTNUMBER where PORTNUMBER is 4803 by default.
If an existing file named /tmp/PORTNUMBER exists, it will be deleted before a socket with the same name is created.
CVE References
| Martin Pitt (pitti) wrote : | #1 |
| Martin Pitt (pitti) wrote : | #2 |
Opening bug; we do not officially support spread, and nobody on vendor-sec requested an embargo.
| Martin Pitt (pitti) wrote : | #3 |
This is indeed pretty low impact. It does not allow a symlink attack since the file is deleted before usage, and the small race between unlink() and bind() does not hurt too much either since bind() will just fail if the file already exists. So there are two minor consequences:
* It removes a file /tmp/<port> which might just happen to be a file which you still need
* It opens a small race condition for a local DoS.
| Changed in spread: | |
| importance: | Medium → Low |
| status: | Unconfirmed → Confirmed |
| Jérémie Corbier (jcorbier) wrote : | #4 |
New package fixing this issue uploaded to edgy.
| Changed in spread: | |
| status: | Confirmed → Fix Committed |
| Jérémie Corbier (jcorbier) wrote : | #5 |
spread (3.17.3-4ubuntu1) edgy; urgency=low
* Merge from debian unstable:
-> /var/run/spread created by the init script if it does not exist.
spread (3.17.3-4) unstable; urgency=high
* CVE-2006-3118: insecure temporary file handling (Closes: #375617)
* Build depends now on dpatch
* Update standards version to 3.7.2
-- Jeremie Corbier <email address hidden> Fri, 22 Sep 2006 19:49:11 -0700
| Changed in spread: | |
| assignee: | nobody → jcorbier |
| status: | Fix Committed → Fix Released |
For the record: forwarded to upstream and to vendor-sec.