ace /tmp file vulnerability

2014-09-07 / 2014-09-20

Credit: Helmut

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2014-6311

CWE: CWE-330

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

Upstream: http://www.dre.vanderbilt.edu/~schmidt/ACE.html

In bin/generate_doxygen.pl line 177 it says:
my $output = "/tmp/".$i.".".$$.".doxygen";

This path is later opened for writing. For context, see:
http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177

Initial disclosure: http://bugs.debian.org/760709

(end of CVE request)

A quick "grep -r /tmp $ace_source" indicates more occasions that may be
worth researching. Most of the results reside within examples or
documentation though.

An interesting find is bin/g++-dep line 63:
TMP=/tmp/g++dep$$
This path is also used for writing. The context can be found at:
http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/g%2B%2Bdep/#L63
I am not sure whether instance is actually executed during the build,
but the Debian package installs it to the development package available
for user consumption.

Thanks

Helmut

References:

http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177

http://www.dre.vanderbilt.edu/~schmidt/ACE.html

http://seclists.org/oss-sec/2014/q3/517

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ace /tmp file vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.