Traffic Server
  1. Traffic Server
  2. TS-2867

traffic_shell uses predictable file names in public writable directories


    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.2
    • Component/s: None
    • Labels:


      Forwarded from, thus quoting the reporter (removed ATS 3.0 arguments):

      The binary `/usr/bin/traffic_shell` contains the following strings, which
      should be sufficient to explain the issue:

      /bin/sort /tmp/zonetab.tmp > /tmp/zonetab

      I didn't look at the code in depth, but there are at least two
      errors here:

      • Predictable filenames, allowing file truncation/removal.
      • Race-conditions accessing files.

      The code in question comes from:

      trafficserver-3.0.5/mgmt/tools/ +

      git head is not affected as traffic_shell was removed there, however older including 3.0, 4.0 and 4.2 branches are vulnerable to this. I suggest that you assign a CVE ID to track this issue and fix this issue in all supported branches.

      Note, that 3.0 has more vulnerabilities if you decide to fix this issue in 3.0 as well.


        Phil Sorber made changes -
        Status In Progress [ 3 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Phil Sorber made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Phil Sorber made changes -
        Assignee Phil Sorber [ psudaemon ]
        Leif Hedstrom made changes -
        Field Original Value New Value
        Fix Version/s 4.2.2 [ 12326647 ]
        Arno Toell created issue -


          • Assignee:
            Phil Sorber
            Arno Toell
          • Votes:
            0 Vote for this issue
            5 Start watching this issue


            • Created: