[jira] [Commented] (TS-2867) traffic_shell uses predictable file names in public writable directories

Mon, 02 Jun 2014 09:33:36 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-2867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14015520#comment-14015520
 ] 

James Peach commented on TS-2867:
---------------------------------

A quick grep shows a few suspicious lines:
{code}
lib/perl/lib/Apache/TS/Config/Records.pm:  my $r = new 
Apache::TS::Config::Records(file => "/tmp/records.config");
lib/perl/lib/Apache/TS/Config/Records.pm:  $r->write(file => 
"/tmp/records.config.new");
proxy/Main.cc:  ProfilerStart("/tmp/ts.prof");
proxy/logging/LogObject.cc:    tmpdir = "/tmp";
{code}

Coverity #1022101 and #1196468 are flagging insecure temp file usage due to 
undefined umask setting. Both of these look largely safe to me.

Interestingly, we have {{proxy.config.temp_dir}}, but nothing actually uses 
that.

> traffic_shell uses predictable file names in public writable directories
> ------------------------------------------------------------------------
>
>                 Key: TS-2867
>                 URL: https://issues.apache.org/jira/browse/TS-2867
>             Project: Traffic Server
>          Issue Type: Bug
>            Reporter: Arno Toell
>             Fix For: 4.2.2
>
>
> Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749846, thus 
> quoting the reporter (removed ATS 3.0 arguments):
> {quote}
> The binary `/usr/bin/traffic_shell` contains the following strings, which
> should be sufficient to explain the issue:
>     /bin/sort /tmp/zonetab.tmp > /tmp/zonetab
> I didn't look at the code in depth, but there are at least two
> errors here:
>  * Predictable filenames, allowing file truncation/removal.
>  * Race-conditions accessing files.
> The code in question comes from:
>    trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc
> {quote}
> git head is not affected as traffic_shell was removed there, however older 
> including 3.0, 4.0 and 4.2 branches are vulnerable to this. I suggest that 
> you assign a CVE ID to track this issue and fix this issue in all supported 
> branches.
> Note, that 3.0 has more vulnerabilities if you decide to fix this issue in 
> 3.0 as well. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to