STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability
Date: 24 Nov 2004 02:59:03 -0000 To: email@example.com('binary' encoding is not supported, stored as-is)
STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (firstname.lastname@example.org)
cscope is an interactive, screen-oriented tool that allows users to
browse through C source files for specified elements of code.
It is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files with the right of the user running them, which
could be root.
Design error: insecure temp file handling
cscope was not designed to handle temp file securely.
main.c 332 line
/* create the temporary file names */
pid = getpid();
(void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
(void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);
temporary files created with predictable names.
If temp1, temp2 are assigned once, they aren't changed until cscope is
terminated. Because cscope uses temp1, temp2 values repeatedly whenever user
searches specified element of code, it's trivial to guess the names of temp
Medium: System file corruption.
Do *NOT* run cscope as the right of root.
rexolab's patch isn't the correct patch to this problem.
cscope is made with C language, not PHP language, fopen() doesn't support
mode 'x' in C library.
cscope 15.5 and prior
Vendor Status: NOT FIXED
2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*)
2004-11-08 cscope developer notified.
2004-11-17 rexolab released the advisory irresponsibly and incorrectly.
2004-11-22 Official release.
Jeremy Bae at STG Security