search menu icon-carat-right cmu-wordmark

CERT Coordination Center

sort creates temporary files insecurely

Vulnerability Note VU#417216

Original Release Date: 2001-08-20 | Last Revised: 2003-05-29

Overview

The sort utility creates temporary files insecurely, making sort subject to a denial-of-service attack.

Description

The UNIX sort utility creates temporary files with predictable names. The creation is done in a manner to prevent information loss via a symlink attack, but existence of the file will cause sort to fail, as it aborts when the creation fails.

Impact

By crashing the sort utility, an intruder may be able to block the operation of system administration programs.

Solution

Apply vendor patches; see the Systems Affected section below.

Vendor Information

417216
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Notified:  June 13, 2001 Updated:  October 04, 2001

Status

  Vulnerable

Vendor Statement

http://www.apple.com/support/security/security_updates.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  April 23, 2001 Updated:  August 14, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/freebsd_advisory-1314.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  January 30, 2001 Updated:  June 12, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/freebsd_advisory-1111.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  June 13, 2001 Updated:  July 27, 2001

Status

  Vulnerable

Vendor Statement

Probably vulnerable, under investigation.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  June 13, 2001 Updated:  May 29, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released SGI Security Advisory 20020401-01-P, subsequently updated with SGI Security Advisory 20020401-02-P, in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  June 13, 2001 Updated:  January 29, 2002

Status

  Vulnerable

Vendor Statement

Our shipping versions are affected by this denial of service attack:
- OpenLinux 2.3
- OpenLinux eServer 2.3.1
- OpenLinux eDesktop 2.4

We have not issued security updates for those platforms.
However, we have fixed this issue in our upcoming products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  June 13, 2001 Updated:  May 29, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera International, Inc. has released the following Security Advisories in response to this issue:

Users are encouraged to review these advisories and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  June 13, 2001 Updated:  June 20, 2001

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system is not vulnerable to the sort vulnerability described here, because the implementation of the sort command in UXP/V is different from the implementation described here.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  June 13, 2001 Updated:  July 27, 2001

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  June 13, 2001 Updated:  August 14, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DEC

Notified:  June 13, 2001 Updated:  August 14, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  June 13, 2001 Updated:  August 14, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  June 13, 2001 Updated:  August 14, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT

Notified:  June 13, 2001 Updated:  August 14, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  June 13, 2001 Updated:  August 14, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens Nixdorf

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  June 13, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 22 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was identified by FreeBSD.

This document was last modified by Tim Shimeall.

Other Information

CVE IDs: CVE-2001-0310
Severity Metric: 0.84
Date Public: 2001-01-30
Date First Published: 2001-08-20
Date Last Updated: 2003-05-29 18:48 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.