• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Exuberant-ctags Symbolic Link Attack Vulnerability

Severity: MODERATE

Description:

Exuberant-ctags is a revision of the 'ctags' sourcecode mapping/navigation utility.

Versions of exuberant-ctags shipping with Debian Linux 2.2 make insecure use of temporary files, creating a race condition which renders ctags vulnerable to symbolic link attacks.

ctags makes use of a number of world-readable tempfiles (in /tmp) during its operation.

ctags creates tempfiles in two steps. The program first calls tmpnam() to obtains a name for the intended tempfile, then opens it for output with a call to fopen().

The interval between the calls to tmpnam() and fopen() creates a race condition.

When ctags writes to its tempfiles, it will follow symbolic links. As a result, it is possible for an attacker, having learned the name of the impending tempfile, to create a symbolic link (with the same name as the tempfile) pointing to a target file writable by the current ctags user.

If the temporary filename was correctly guessed, ctags will overwrite whatever is pointed to by the symlink, with the privilege level of the current ctags user.

Because these files are created world-readable, arbitrary local users may view their contents. If this attack is carried out while a privileged user is running ctags, sensitive or confidential data may be improperly disclosed.

Affected Products:

• Darren Hiebert ctags 1.0.0
• Darren Hiebert ctags 1.0.0a
• Darren Hiebert ctags 1.1.0
• Darren Hiebert ctags 1.2.0
• Darren Hiebert ctags 1.3.0
• Darren Hiebert ctags 1.4.0
• Darren Hiebert ctags 1.5.0
• Darren Hiebert ctags 1.6.0
• Darren Hiebert ctags 1.7.0
• Darren Hiebert ctags 2.0.1
• Darren Hiebert ctags 2.0.2
• Darren Hiebert ctags 2.0.3
• Darren Hiebert ctags 2.0.4
• Darren Hiebert ctags 2.1.0
• Darren Hiebert ctags 2.1.1
• Darren Hiebert ctags 2.2.0
• Darren Hiebert ctags 2.2.1
• Darren Hiebert ctags 2.2.2
• Darren Hiebert ctags 2.2.3
• Darren Hiebert ctags 2.2.6
• Darren Hiebert ctags 2.2.7
• Darren Hiebert ctags 2.3.0
• Darren Hiebert ctags 2.3.1
• Darren Hiebert ctags 2.3.2
• Darren Hiebert ctags 3.0.0
• Darren Hiebert ctags 3.0.1
• Darren Hiebert ctags 3.0.2
• Darren Hiebert ctags 3.0.3
• Darren Hiebert ctags 3.1.0
• Darren Hiebert ctags 3.1.2
• Darren Hiebert ctags 3.2.0
• Darren Hiebert ctags 3.2.1
• Darren Hiebert ctags 3.2.2
• Darren Hiebert ctags 3.2.3

References:

• Source Forge: Exuberant-ctags homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.