[
https://issues.apache.org/jira/browse/TS-2867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14015526#comment-14015526
]
Leif Hedstrom commented on TS-2867:
-----------------------------------
Yeah, those first two lines are from the Docs section from the .pm, you could
argue they might be bad examples, but clearly not CVE material :). The one in
LogObject.cc is from a regression test.
If we are not using proxy.config.temp_dir, nuke it? Alternatively, do we need
to file an RFE to actually use proxy.config.temp_dir instead of hardcoded /tmp ?
> traffic_shell uses predictable file names in public writable directories
> ------------------------------------------------------------------------
>
> Key: TS-2867
> URL: https://issues.apache.org/jira/browse/TS-2867
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Arno Toell
> Fix For: 4.2.2
>
>
> Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749846, thus
> quoting the reporter (removed ATS 3.0 arguments):
> {quote}
> The binary `/usr/bin/traffic_shell` contains the following strings, which
> should be sufficient to explain the issue:
> /bin/sort /tmp/zonetab.tmp > /tmp/zonetab
> I didn't look at the code in depth, but there are at least two
> errors here:
> * Predictable filenames, allowing file truncation/removal.
> * Race-conditions accessing files.
> The code in question comes from:
> trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc
> {quote}
> git head is not affected as traffic_shell was removed there, however older
> including 3.0, 4.0 and 4.2 branches are vulnerable to this. I suggest that
> you assign a CVE ID to track this issue and fix this issue in all supported
> branches.
> Note, that 3.0 has more vulnerabilities if you decide to fix this issue in
> 3.0 as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
