Home page logo

bugtraq logo Bugtraq mailing list archives

RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Tue, 12 Feb 2002 17:07:44 +0100

RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT

   The run-time library of the GNU Ada compiler (GNAT) handles temporary
   files in an unsafe manner.

Systems Affected

   All POSIX multi-user systems running GNAT-compiled binaries which use
   Ada language facilities for creating temporary files are affected. The
   following GNAT versions are known to have this defect:

     * GNAT 3.12p
     * GNAT 3.13p
     * GNAT 3.14p

   (The unreleased version of GNAT from the GCC CVS fixes this
   security defect on GNU/Linux, but introduces another one. Its use
   is strongly discouraged until this problem has been addressed.)

Attack vector

   Interactive access is usually required to exploit this vulnerability.


   The impact depends on the application creating the temporary file. It
   ranges from temporary to permanent denial of service, from data
   eavesdropping to system compromise.

Vulnerability Type

   /tmp race condition


   The Ada language offers a facility to create named temporary files
   (see ISO/IEC 8652:1995, section A.8.5.2). The GNAT run-time library
   creates these temporary files in an unsafe way, which can result in
   exploitable /tmp race conditions.

   In addition, the procedure GNAT.OS_Lib.Create_Temp_File creates the
   temporary file in the current directory and does not retry with a
   different file name if the generated random file name has come into
   existance before the file is opened using O_EXCL.

Proposed Solution

   The patch below replaces the calls to tmpnam() or mktemp() with ones
   to mkstemp(). Of course, this only works on systems where mkstemp() is

     * Patch for GNAT 3.14p:

   Unfortunately, more substantial changes are required for previous
   versions of GNAT.

Contact Status

   Ada Core Technologies was contacted on 2000-04-16.


   RUS-CERT (http://CERT.Uni-Stuttgart.DE/) is the Computer Emergency
   Response Team located at the Computing Center (RUS) of the
   University of Stuttgart, Germany.

Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

  By Date           By Thread  

Current thread:
  • RUS-CERT Advisory 2002-02:01: Temporary file handling in GNAT Florian Weimer (Feb 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]