Bugzilla – Bug 868822
VUL-1: CVE-2014-2524: bash,readline: temporary file misuse in _rl_tropen
Last modified: 2016-04-27 20:24:26 UTC
via oss-sec From: Steve Kemp <steve@steve.org.uk> Subject: [oss-security] Insecure usage of temporary files in GNU Readline Date: Fri, 14 Mar 2014 18:05:31 +0000 Whilst auditing some code for insecure uses of temporary files I spotted a potential area of concern in GNU readline. (via an embedded copy of the same inside the Debian source of GDB.) The code in question comes from readline 6.x and is contained in util.c: int _rl_tropen () { char fnbuf[128]; if (_rl_tracefp) fclose (_rl_tracefp); sprintf (fnbuf, "/var/tmp/rltrace.%ld", getpid()); unlink(fnbuf); _rl_tracefp = fopen (fnbuf, "w+"); return _rl_tracefp != 0; } _rl_tropen is invoked from _rl_trace, which is a debugging aid, and it is implied that the function is private, because it is defined in rlprivate.h: /* rlprivate.h -- functions and variables global to the readline library, but not intended for use by applications. */ That said the function _is_ available for using/linking, as a trivial test program would demonstrate: http://pastebin.com/T0XimKED Given how widely used this library is potentially many applications are unknowingly vulnerable to a classic race-condition. I'm throwing this out there for two reasons: * In theory this is exploitable, and should be fixed. * In practice I cannot find an application which invokes _rl_trace, although there are tantalising clues such as this page of commits which refers to a snapshot of GNU Bash: https://gitlab.com/bminor/bash/commit/b0c16657b4514191b4f6c328615d162726758247 Feel free to allocate an identifier, or even scan some of your projects that have readline dependencies ;) This is the first announcement of this issue I've made, I can imagine some more paranoid distributions might wish to update, but equally this seems so low-risk that I didn't consider it worthy of vendor-sec. Steve -- http://tweaked.io/
Affected packages: SLE-11-SP3: bash SLE-10-SP3-TERADATA: bash SLE-11-SP2: bash
openSUSE 12.3 and 13.1 nevertheless the functions _rl_tropen(), _rl_trclose(), and _rl_trace() are defined for debugging but never used in the final bash nor libreadline: werner/bash> grep -rsE '_rl_(open|close|trace)' readline-6.2/ bash-4.2/ readline-6.2/rlprivate.h:extern void _rl_trace (const char *, ...) __attribute__((__format__ (printf, 1, 2))); readline-6.2/rlprivate.h:extern void _rl_trace (); readline-6.2/util.c:static FILE *_rl_tracefp; readline-6.2/util.c:_rl_trace (const char *format, ...) readline-6.2/util.c:_rl_trace (va_alist) readline-6.2/util.c: if (_rl_tracefp == 0) readline-6.2/util.c: vfprintf (_rl_tracefp, format, args); readline-6.2/util.c: fprintf (_rl_tracefp, "\n"); readline-6.2/util.c: fflush (_rl_tracefp); readline-6.2/util.c: if (_rl_tracefp) readline-6.2/util.c: fclose (_rl_tracefp); readline-6.2/util.c: _rl_tracefp = fopen (fnbuf, "w+"); readline-6.2/util.c: return _rl_tracefp != 0; readline-6.2/util.c: r = fclose (_rl_tracefp); readline-6.2/util.c: _rl_tracefp = 0; bash-4.2/CWRU/changelog: - add extern declarations for _rl_trace, _rl_tropen bash-4.2/lib/readline/util.c:static FILE *_rl_tracefp; bash-4.2/lib/readline/util.c:_rl_trace (const char *format, ...) bash-4.2/lib/readline/util.c:_rl_trace (va_alist) bash-4.2/lib/readline/util.c: if (_rl_tracefp == 0) bash-4.2/lib/readline/util.c: vfprintf (_rl_tracefp, format, args); bash-4.2/lib/readline/util.c: fprintf (_rl_tracefp, "\n"); bash-4.2/lib/readline/util.c: fflush (_rl_tracefp); bash-4.2/lib/readline/util.c: if (_rl_tracefp) bash-4.2/lib/readline/util.c: fclose (_rl_tracefp); bash-4.2/lib/readline/util.c: _rl_tracefp = fopen (fnbuf, "w+"); bash-4.2/lib/readline/util.c: return _rl_tracefp != 0; bash-4.2/lib/readline/util.c: r = fclose (_rl_tracefp); bash-4.2/lib/readline/util.c: _rl_tracefp = 0; bash-4.2/lib/readline/rlprivate.h:extern void _rl_trace (const char *, ...) __attribute__((__format__ (printf, 1, 2))); bash-4.2/lib/readline/rlprivate.h:extern void _rl_trace (); bash-4.2/ChangeLog: - add extern declarations for _rl_trace, _rl_tropen
SR#226577 for openSUSE:Factory SR#34538 for SLES12:GA
This is an autogenerated message for OBS integration: This bug (868822) was mentioned in https://build.opensuse.org/request/show/226577 Factory / bash
bugbot adjusting priority
confirmed that only opensuse is affected. sles11 does not have the code. also fixing factory is sufficient given the preconditions. -> dione
This is an autogenerated message for OBS integration: This bug (868822) was mentioned in https://build.opensuse.org/request/show/251817 13.1 / bash https://build.opensuse.org/request/show/251818 12.3 / bash https://build.opensuse.org/request/show/251819 12.3 / bash
openSUSE-SU-2014:1226-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (critical) Bug References: 868822,895475,896776 CVE References: CVE-2014-2524,CVE-2014-6271 Sources used: openSUSE 13.1 (src): bash-4.2-68.4.1 openSUSE 12.3 (src): bash-4.2-61.9.1