Date: Tue, 12 Feb 2002 17:07:44 +0100
From: Florian Weimer <[email protected]>
To: [email protected]Subject: RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT
RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT
The run-time library of the GNU Ada compiler (GNAT) handles temporary
files in an unsafe manner.
Systems Affected
All POSIX multi-user systems running GNAT-compiled binaries which use
Ada language facilities for creating temporary files are affected. The
following GNAT versions are known to have this defect:
* GNAT 3.12p
* GNAT 3.13p
* GNAT 3.14p
(The unreleased version of GNAT from the GCC CVS fixes this
security defect on GNU/Linux, but introduces another one. Its use
is strongly discouraged until this problem has been addressed.)
Attack vector
Interactive access is usually required to exploit this vulnerability.
Impact
The impact depends on the application creating the temporary file. It
ranges from temporary to permanent denial of service, from data
eavesdropping to system compromise.
Vulnerability Type
/tmp race condition
Description
The Ada language offers a facility to create named temporary files
(see ISO/IEC 8652:1995, section A.8.5.2). The GNAT run-time library
creates these temporary files in an unsafe way, which can result in
exploitable /tmp race conditions.
In addition, the procedure GNAT.OS_Lib.Create_Temp_File creates the
temporary file in the current directory and does not retry with a
different file name if the generated random file name has come into
existance before the file is opened using O_EXCL.
Proposed Solution
The patch below replaces the calls to tmpnam() or mktemp() with ones
to mkstemp(). Of course, this only works on systems where mkstemp() is
available.
* Patch for GNAT 3.14p:
http://cert.uni-stuttgart.de/files/fw/gnat-3.14p-mkstemp.diff
Unfortunately, more substantial changes are required for previous
versions of GNAT.
Contact Status
Ada Core Technologies was contacted on 2000-04-16.
About RUS-CERT
RUS-CERT (http://CERT.Uni-Stuttgart.DE/) is the Computer Emergency
Response Team located at the Computing Center (RUS) of the
University of Stuttgart, Germany.
--
Florian Weimer [email protected]
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
