You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Arno Toell (JIRA)" <ji...@apache.org> on 2014/06/02 10:36:02 UTC

[jira] [Created] (TS-2867) traffic_shell uses predictable file names in public writable directories

Arno Toell created TS-2867:
------------------------------

             Summary: traffic_shell uses predictable file names in public writable directories
                 Key: TS-2867
                 URL: https://issues.apache.org/jira/browse/TS-2867
             Project: Traffic Server
          Issue Type: Bug
            Reporter: Arno Toell


Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749846, thus quoting the reporter (removed ATS 3.0 arguments):

{quote}
The binary `/usr/bin/traffic_shell` contains the following strings, which
should be sufficient to explain the issue:

    /bin/sort /tmp/zonetab.tmp > /tmp/zonetab

I didn't look at the code in depth, but there are at least two
errors here:

 * Predictable filenames, allowing file truncation/removal.

 * Race-conditions accessing files.

The code in question comes from:

   trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc
{quote}

git head is not affected as traffic_shell was removed there, however older including 3.0, 4.0 and 4.2 branches are vulnerable to this. I suggest that you assign a CVE ID to track this issue and fix this issue in all supported branches.

Note, that 3.0 has more vulnerabilities if you decide to fix this issue in 3.0 as well. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)