Debian Bug report logs - #737206
/usr/lib/plan9/bin/rc: CVE-2014-1935: insecure use of /tmp

version graph

Package: 9base; Maintainer for 9base is Debian QA Group <packages@qa.debian.org>; Source for 9base is src:9base (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Fri, 31 Jan 2014 11:06:01 UTC

Severity: important

Tags: security

Found in version 9base/1:6-6

Forwarded to rsc@swtch.com, anselm@garbe.us, 9trouble@plan9.bell-labs.com, 9fans@9fans.net

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Gergely Nagy <algernon@madhouse-project.org>:
Bug#737206; Package 9base. (Fri, 31 Jan 2014 11:06:06 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/lib/plan9/bin/rc: insecure use of /tmp
Date: Fri, 31 Jan 2014 12:03:28 +0100
[Message part 1 (text/plain, inline)]
Package: 9base
Version: 1:6-6
Severity: important
Tags: security

Murray McAllister from Red Hat Security Response Team discovered that rc 
creates temporary files in an insecure way:

$ strace -o '| grep /tmp' ./test-heredoc
open("/tmp/here217f.0000", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 5
open("/tmp/here217f.0000", O_RDONLY|O_LARGEFILE) = 5
moo
unlink("/tmp/here217f.0000")            = 0


As you can see, the filenames are easily predictable, and the O_EXCL 
flag is missing.

-- 
Jakub Wilk
[test-heredoc (text/plain, attachment)]

Changed Bug title to '/usr/lib/plan9/bin/rc: CVE-2014-1935: insecure use of /tmp' from '/usr/lib/plan9/bin/rc: insecure use of /tmp' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 11 Feb 2014 06:30:14 GMT) (full text, mbox, link).


Set Bug forwarded-to-address to 'rsc@swtch.com, anselm@garbe.us, 9trouble@plan9.bell-labs.com, 9fans@9fans.net'. Request was from Stéphane Aulery <saulery@free.fr> to control@bugs.debian.org. (Wed, 03 Dec 2014 23:54:18 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:51:21 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.