Re: [Notification] CVE-2012-3500 - rpmdevtools, devscripts: TOCTOU race condition in annotate-output

[Jakub Wilk <jwilk () debian org>]

* Jan Lieskovsky <jlieskov () redhat com>, 2012-08-31, 11:22:
> A TOCTOU race condition was found in the way 'annotate-output' (used to 
> execute a program annotating the output linewise with time and stream) 
> tool of rpmdevtools, a suite of scripts and (X)Emacs support files to 
> aid in development of RPM packages, performed management of its 
> temporary files used for standard output and standard error output. A 
> local attacker could use this flaw to conduct symbolic link attacks, 
> possibly leading to their ability in an unauthorized way to alter files 
> belonging to the user running the 'annotate-output' tool.

The vulnerable code appears to be:

OUT=`mktemp --tmpdir annotate.XXXXXX` || exit 1
ERR=`mktemp --tmpdir annotate.XXXXXX` || exit 1
rm -f $OUT $ERR
mkfifo $OUT $ERR || exit 1

But mkfifo will never create a FIFO over a symlink; the underlying 
library function fails with EEXISTS when "pathname already exists. This 
includes the case where pathname is a symbolic link, dangling or not." 
So AFAICS it's just a DoS, not something giving the attacker "ability in 
an unauthorized way to alter files".

--
Jakub Wilk