COMMAND
makewhatis
SYSTEMS AFFECTED
Linux
PROBLEM
Following is based on a ISS Security Advisory. The makewhatis
portion of the man package used files in /tmp in an insecure
fashion. It was possible for local users to exploit this
vulnerability to modify files that they normally could not and
gain elevated privilege.
This vulnerability has been found in versions 1.5e and higher of
the "man" utility package. The makewhatis program builds the
whatis database for use with the "whatis", "apropos", and "man"
programs to find online documentation. It is typically invoked
with root privileges and is scheduled to run periodically (as a
cron job).
A working copy of the database is created as a temporary file in
the world-writable /tmp directory. The temporary file is named
/tmp/whatis$$, where $$ is the Process ID (PID) of the running
makewhatis process. The program does not perform sufficient tests
to ensure that the file it is about to create does not already
exist. Due to the predictability of process IDs and the limited
scope of a PID integer (0-65535), an attacker could exploit the
race condition using symbolic links.
The problem is greater on Linux systems that ship with makewhatis
scheduled to run at a specified time. In these cases, the attacker
knows when makewhatis will be run.
This vulnerability was discovered and researched by Aaron Campbell
and Allen Wilson of the ISS X-Force.
SOLUTION
RPMs required for Red Hat:
Red Hat Linux 5.2:
ftp://updates.redhat.com/5.2/i386/man-1.5h1-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/alpha/man-1.5h1-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/man-1.5h1-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/SRPMS/man-1.5h1-2.5.x.src.rpm
Red Hat Linux 6.2:
ftp://updates.redhat.com/6.2/alpha/man-1.5h1-2.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/i386/man-1.5h1-2.6.x.i386.rpm
ftp://updates.redhat.com/6.2/sparc/man-1.5h1-2.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/SRPMS/man-1.5h1-2.6.x.src.rpm
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/man-1.5f-6.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/man-1.5f-6.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/man-1.5f-6.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/man-1.5f-6.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/man-1.5g-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/man-1.5g-2.src.rpm
TSL released new man packages fixing the hole in makewhatis. All
users of TSL, 1.0x and 1.1, are encouraged to upgrade to this
version of the man package:
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/man-1.5g-11tr.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/man-1.5g-11tr.i586.rpm
http://www.trustix.net/download/Trustix/updates/1.1/SRPMS/man-1.5g-11tr.src.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/man-1.5g-11tr.src.rpm
SuSE is NOT vulnerable by this bug, because they use different
code, which doesn't touch /tmp in a unsecure way.
Linux-Mandrake recommends that affected customers upgrade to:
6.0/RPMS/man-1.5g-15mdk.i586.rpm
6.0/SRPMS/man-1.5g-15mdk.src.rpm
6.1/RPMS/man-1.5g-15mdk.i586.rpm
6.1/SRPMS/man-1.5g-15mdk.src.rpm
7.0/RPMS/man-1.5g-15mdk.i586.rpm
7.0/SRPMS/man-1.5g-15mdk.src.rpm
7.1/RPMS/man-1.5g-15mdk.i586.rpm
7.1/SRPMS/man-1.5g-15mdk.src.rpm