Vulnerability Note VU#10277
Various shells create temporary files insecurely when using << operator
sh uses /tmp files of a predictable name in creating files for input redirection using the << operator.
When performing the "<<" redirection, /bin/sh creates a temporary file in /tmp with a name based on the process id, writes subsequent input out to that file, and then closes the file before re-opening it as the standard input of the command to be executed. At no stage are the results of the creat(), write(), or open() calls checked for an error status.
It is possible for another user to alter what is read from this file.
It may also be possible to create a symbolic link named as the temporary file and pointed to any other file on the system writable by the user of the shell, which may lead to corruption of the file to which the link is pointed.
Apply vendor patches; see the Systems Affected section below.
Avoid the use of << operator in cron jobs and similar administration scripts.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer, Inc.||Affected||14 May 2001||25 Sep 2001|
|Compaq Computer Corporation||Affected||14 May 2001||13 Jun 2003|
|DEC||Affected||14 May 2001||30 Jan 2002|
|FreeBSD, Inc.||Affected||20 Nov 2000||15 May 2001|
|Hewlett-Packard Company||Affected||14 May 2001||13 Jun 2003|
|IBM Corporation||Affected||14 May 2001||13 Jun 2001|
|Mandriva, Inc.||Affected||20 Nov 2000||16 Jul 2001|
|SGI||Affected||14 May 2001||29 Jan 2002|
|Sun Microsystems, Inc.||Affected||17 Jul 1991||17 May 2001|
|The SCO Group (SCO Linux)||Affected||14 May 2001||19 Jun 2001|
|The SCO Group (SCO Unix)||Affected||14 May 2001||29 Jan 2002|
|Berkeley Software Design, Inc.||Not Affected||14 May 2001||15 May 2001|
|OpenBSD||Not Affected||30 Oct 2000||05 Jul 2001|
|Data General||Unknown||14 May 2001||11 Jun 2001|
|Debian Linux||Unknown||14 May 2001||11 Jun 2001|
CVSS Metrics (Learn More)
The original discoverer of this vul was Gordon Irlam of the Univeristy of Adelaide, Australia.
This document was written by James T. Ellis, modified by Tim Shimeall to reflect 2001 reporting
- CVE IDs: CVE-2000-1134
- Date Public: 17 Jul 91
- Date First Published: 02 Jul 2001
- Date Last Updated: 24 Apr 2007
- Severity Metric: 1.73
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.