OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Florian Weimer (WeimerCERT.Uni-Stuttgart.DE)
Date: Tue Feb 12 2002 - 10:09:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT

       The run-time library of the GNU Ada compiler (GNAT) handles temporary
       files in an unsafe manner.

    Systems Affected

       All POSIX multi-user systems running GNAT-compiled binaries which use
       Ada language facilities for creating temporary files are affected. The
       following GNAT versions are known to have this defect:

         * GNAT 3.12p
         * GNAT 3.13p
         * GNAT 3.14p

       (The unreleased version of GNAT from the GCC CVS fixes this
       security defect on GNU/Linux, but introduces another one. Its use
       is strongly discouraged until this problem has been addressed.)

    Attack vector

       Interactive access is usually required to exploit this vulnerability.

    Impact

       The impact depends on the application creating the temporary file. It
       ranges from temporary to permanent denial of service, from data
       eavesdropping to system compromise.

    Vulnerability Type

       /tmp race condition

    Description

       The Ada language offers a facility to create named temporary files
       (see ISO/IEC 8652:1995, section A.8.5.2). The GNAT run-time library
       creates these temporary files in an unsafe way, which can result in
       exploitable /tmp race conditions.

       In addition, the procedure GNAT.OS_Lib.Create_Temp_File creates the
       temporary file in the current directory and does not retry with a
       different file name if the generated random file name has come into
       existance before the file is opened using O_EXCL.

    Proposed Solution

       The patch below replaces the calls to tmpnam() or mktemp() with ones
       to mkstemp(). Of course, this only works on systems where mkstemp() is
       available.

         * Patch for GNAT 3.14p:
           http://cert.uni-stuttgart.de/files/fw/gnat-3.14p-mkstemp.diff

       Unfortunately, more substantial changes are required for previous
       versions of GNAT.

    Contact Status

       Ada Core Technologies was contacted on 2000-04-16.

    About RUS-CERT

       RUS-CERT (http://CERT.Uni-Stuttgart.DE/) is the Computer Emergency
       Response Team located at the Computing Center (RUS) of the
       University of Stuttgart, Germany. 

    -- 
Florian Weimer 	                  WeimerCERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898