Title: RETIRED: mktemp Predictable Temporary Filename Vulnerability
Severity: LOW
Description:
The 'mktemp' utility is used to create temporary files for shell scripts.
The utility generates random temporary filenames based on a user-supplied template. A template allowing six or fewer characters will be based on the current process ID and incremented in case of collisions.
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. A denial-of-service attack may also be possible by exhausting all temporary filenames. Attackers may be able to gain elevated privileges.
This vulnerability resides in Todd Miller's mktemp 1.5; other versions may also be vulnerable. GNU coreutils mktemp is not currently believed to be vulnerable.
UPDATE (August 8, 2008): This issue is being retired. Since the temporary file is created with 'O_EXCL', this issue is not exploitable. Attacks may be possible when mktemp is called with the '-u' option, but this is documented as an unsafe mode. Any exploitable use of this script would be a vulnerability in third-party scripts, not in 'mktemp' itself.
Affected Products:
- Debian Linux 4.0
- Debian Linux 4.0 alpha
- Debian Linux 4.0 amd64
- Debian Linux 4.0 arm
- Debian Linux 4.0 hppa
- Debian Linux 4.0 ia-32
- Debian Linux 4.0 ia-64
- Debian Linux 4.0 m68k
- Debian Linux 4.0 mips
- Debian Linux 4.0 mipsel
- Debian Linux 4.0 powerpc
- Debian Linux 4.0 s/390
- Debian Linux 4.0 sparc
- Todd Miller mktemp 1.5
References:
- Sebastian Krahmer: Re: CVE id request: mktemp
- Todd Miller: mktemp Homepage
- Dirk Wetter: mktemp generated string partly not random