Title: GNU Ada Compiler Runtime Library Insecure Temporary File Creation Vulnerability
Severity: MODERATE
Description:
The GNU Ada Compiler (Gnat) is an open source commercial Ada compiler distributed and maintained by Ada Core Technologies. It is designed for use on Unix, Linux, and Microsoft Operating Systems, in addition to others.
A problem in the runtime libraries used by binaries created with the compiler could create race condition situations. The problem is due to the insecure creation of temporary files.
Gnat is a hybrid compiler. It combines the strengths of the GNU C Compiler and the Ada programming language.
The Gnat runtime libraries use routines that when linked with a binary created by the compiler, can make the binary vulnerable to temporary file race conditions. This is due to the library using the deprecated tmpnam function, which generates a name for a temporary file that did not exist at some point. The function neither checks nor generates errors when generating names for temporary files.
This problem could make it possible for an attacker to exploit a program built with the compiler to launch a symbolic link attack. This could in turn lead to the overwriting of arbitrary files owned by another user, and potentially elevated privileges.
Affected Products:
- Ada Core Technologies Gnat Pro Native 3.12.0 p
- Ada Core Technologies Gnat Pro Native 3.13.0 p
- Ada Core Technologies Gnat Pro Native 3.14.0 p
References:
- Ada Core Technologies: Gnat Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
