[
https://issues.apache.org/jira/browse/TS-2867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062567#comment-14062567
]
ASF subversion and git services commented on TS-2867:
-----------------------------------------------------
Commit a62056d4b10d34abb3d0c439501f139673f594b0 in trafficserver's branch
refs/heads/4.2.x from [~psudaemon]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=a62056d ]
TS-2867: Remove clock functionality from traffic_shell to address temporary
file handling issues.
> traffic_shell uses predictable file names in public writable directories
> ------------------------------------------------------------------------
>
> Key: TS-2867
> URL: https://issues.apache.org/jira/browse/TS-2867
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Arno Toell
> Assignee: Phil Sorber
> Fix For: 4.2.2
>
>
> Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749846, thus
> quoting the reporter (removed ATS 3.0 arguments):
> {quote}
> The binary `/usr/bin/traffic_shell` contains the following strings, which
> should be sufficient to explain the issue:
> /bin/sort /tmp/zonetab.tmp > /tmp/zonetab
> I didn't look at the code in depth, but there are at least two
> errors here:
> * Predictable filenames, allowing file truncation/removal.
> * Race-conditions accessing files.
> The code in question comes from:
> trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc
> {quote}
> git head is not affected as traffic_shell was removed there, however older
> including 3.0, 4.0 and 4.2 branches are vulnerable to this. I suggest that
> you assign a CVE ID to track this issue and fix this issue in all supported
> branches.
> Note, that 3.0 has more vulnerabilities if you decide to fix this issue in
> 3.0 as well.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
