search menu icon-carat-right cmu-wordmark

CERT Coordination Center

getty_ps creates temporary files insecurely

Vulnerability Note VU#342768

Original Release Date: 2001-10-01 | Last Revised: 2004-07-28

Overview

getty_ps is an open-source software package designed to support logons to the console and terminals. Some implementations create temporary files insecurely with predictable names, leading to corruption of arbitrary files via symbolic link attack.

Description

Under certain circumstances, getty_ps will create files in the /tmp file system in an insecure manner. The program uses a naming scheme that could make it possible to guess the file name of future files in the /tmp directory, and does not check for the existence of the file before attempting to create it.

Impact

By creating symbolic links in /tmp with appropriate names, an attacker could cause getty_ps to overwrite files writeable by the effective UID of this package. Since this package is normally run as root, any file on the system could be thus corrupted.

Solution

Apply vendor patches; see the Systems Affected section below.

Vendor Information

342768
 

Immunix Affected

Notified:  January 10, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

Immunix Security Advisory 2000-70-025-01

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----------------------------------------------------------------------

Packages updated:getty_ps
Effected products:Immunix OS 7.0-beta
Bugs Fixed:immunix/1317
Date:January 10, 2000
Advisory ID:IMNX-2000-70-025-01
Author:Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------


Description:
 In an internal audit conducted while preparing Immunix Linux 7.0 we
 noticed a potential temp file race problem in the getty_ps program.

  A patch has been applied that fixes this problem, however the
 maintainer of the program never responded to our email message about
 this problem.

  Packages have been created and released for Immunix 7.0 beta to fix
 this problem.

Package names and locations:
 Precompiled binary package for Immunix 7.0 beta is available at:
   
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/getty_ps-2.0.7j-12_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
   
http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/getty_ps-2.0.7j-12_StackGuard_2.src.rpm

md5sums of the packages:
 ebe7518773d6598ef520233236488b7a  getty_ps-2.0.7j-12_StackGuard_2.i386.rpm
 22576dbf9d22ee4bb16811bddc9abd00  getty_ps-2.0.7j-12_StackGuard_2.src.rpm

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Notified:  January 10, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/mandrake_advisory-1037.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

getty_ps Affected

Updated:  July 28, 2004

Status

Affected

Vendor Statement

The patched release will be 2.1.0a, and all future releases (2.1.0b or higher, or the scheduled 2.1.1). The fix should be released in the next 7 days.

Please note that this vulnerablity exists in all previous releases that I have copies of (going back to 2.0.4), and I assume all the way back from there.

Important PLEASE NOTE: this problem *only* occurs, if the package was compiled with SYSLOG_DEBUG *not* defined, which should *not* be the case in production versions. (The vunerability is caused by a debug file.) The *simplest* fix is to check the source code (file "tune.h"), for "#define SYSLOG" and "#define SYSLOG_DEBUG". If present, then this vunerabilty does *not* exist, as the code that creates the file in question is disabled. If *not* present, then include these in the tune.h file, re-compile, and re-install.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Not Affected

Notified:  August 21, 2001 Updated: August 28, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The version shipped by SuSE does not appear to be vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Unknown

Notified:  August 21, 2001 Updated: October 01, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Unknown

Notified:  August 21, 2001 Updated: October 01, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified:  August 21, 2001 Updated: October 01, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux) Unknown

Notified:  August 21, 2001 Updated: October 01, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was first reported by Greg Kroah-Hartman.

This document was written by Tim Shimeall.

Other Information

CVE IDs: CVE-2001-0119
Severity Metric: 5.63
Date Public: 2001-01-10
Date First Published: 2001-10-01
Date Last Updated: 2004-07-28 15:31 UTC
Document Revision: 16

Sponsored by CISA.