Overview
The sort utility creates temporary files insecurely, making sort subject to a denial-of-service attack.
Description
The UNIX sort utility creates temporary files with predictable names. The creation is done in a manner to prevent information loss via a symlink attack, but existence of the file will cause sort to fail, as it aborts when the creation fails. |
Impact
By crashing the sort utility, an intruder may be able to block the operation of system administration programs. |
Solution
Apply vendor patches; see the Systems Affected section below. |
Vendor Information
Apple Computer Inc. Affected
Notified: June 13, 2001 Updated: October 04, 2001
Status
Affected
Vendor Statement
http://www.apple.com/support/security/security_updates.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Affected
Notified: January 30, 2001 Updated: June 12, 2001
Status
Affected
Vendor Statement
http://www.linuxsecurity.com/advisories/freebsd_advisory-1111.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Affected
Notified: April 23, 2001 Updated: August 14, 2001
Status
Affected
Vendor Statement
http://www.linuxsecurity.com/advisories/freebsd_advisory-1314.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: June 13, 2001 Updated: July 27, 2001
Status
Affected
Vendor Statement
Probably vulnerable, under investigation.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Affected
Notified: June 13, 2001 Updated: May 29, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SGI has released SGI Security Advisory 20020401-01-P, subsequently updated with SGI Security Advisory 20020401-02-P, in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Linux) Affected
Notified: June 13, 2001 Updated: January 29, 2002
Status
Affected
Vendor Statement
Our shipping versions are affected by this denial of service attack:
- OpenLinux 2.3
- OpenLinux eServer 2.3.1
- OpenLinux eDesktop 2.4
We have not issued security updates for those platforms.
However, we have fixed this issue in our upcoming products.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO UnixWare) Affected
Notified: June 13, 2001 Updated: May 29, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Caldera International, Inc. has released the following Security Advisories in response to this issue:
Users are encouraged to review these advisories and apply the patches they refer to.If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Not Affected
Notified: June 13, 2001 Updated: June 20, 2001
Status
Not Affected
Vendor Statement
Fujitsu's UXP/V operating system is not vulnerable to the sort vulnerability described here, because the implementation of the sort command in UXP/V is different from the implementation described here.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Not Affected
Notified: June 13, 2001 Updated: July 27, 2001
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Unknown
Notified: June 13, 2001 Updated: August 14, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
DEC Unknown
Notified: June 13, 2001 Updated: August 14, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: June 13, 2001 Updated: August 14, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: June 13, 2001 Updated: August 14, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NeXT Unknown
Notified: June 13, 2001 Updated: August 14, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Unknown
Notified: June 13, 2001 Updated: August 14, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Siemens Nixdorf Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: June 13, 2001 Updated: July 24, 2001
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was identified by FreeBSD.
This document was last modified by Tim Shimeall.
Other Information
| CVE IDs: | CVE-2001-0310 |
| Severity Metric: | 0.84 |
| Date Public: | 2001-01-30 |
| Date First Published: | 2001-08-20 |
| Date Last Updated: | 2003-05-29 18:48 UTC |
| Document Revision: | 14 |