[
https://issues.apache.org/jira/browse/TS-2867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14015584#comment-14015584
]
Arno Toell commented on TS-2867:
--------------------------------
I don't see much reason to use a configurable temp directory location, the FHS
clearly requires /tmp to be available
(http://www.pathname.com/fhs/pub/fhs-2.3.html#TMPTEMPORARYFILES) and writable.
Moreover, some init systems such as systemd might even isolate the /tmp space
from concurring applications. Creating anyonmous temporary files to avoid all
the /tmp attacks ought to be good enough in my opinion.
> traffic_shell uses predictable file names in public writable directories
> ------------------------------------------------------------------------
>
> Key: TS-2867
> URL: https://issues.apache.org/jira/browse/TS-2867
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Arno Toell
> Fix For: 4.2.2
>
>
> Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749846, thus
> quoting the reporter (removed ATS 3.0 arguments):
> {quote}
> The binary `/usr/bin/traffic_shell` contains the following strings, which
> should be sufficient to explain the issue:
> /bin/sort /tmp/zonetab.tmp > /tmp/zonetab
> I didn't look at the code in depth, but there are at least two
> errors here:
> * Predictable filenames, allowing file truncation/removal.
> * Race-conditions accessing files.
> The code in question comes from:
> trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc
> {quote}
> git head is not affected as traffic_shell was removed there, however older
> including 3.0, 4.0 and 4.2 branches are vulnerable to this. I suggest that
> you assign a CVE ID to track this issue and fix this issue in all supported
> branches.
> Note, that 3.0 has more vulnerabilities if you decide to fix this issue in
> 3.0 as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
