RUS-CERT Advisory 2002-02-01: Temporary file handling in GNAT Overview The run-time library of the GNU Ada compiler (GNAT) handles temporary files in an unsafe manner. Systems Affected All POSIX multi-user systems running GNAT-compiled binaries which use Ada language facilities for creating temporary files. Known affected GNAT versions: - GNAT 3.12p - GNAT 3.13p - GNAT 3.14p Attack Vector Interactive access is usually required to exploit this vulnerability. Impact Varies depending on the application: - Temporary to permanent denial of service - Data eavesdropping - System compromise Vulnerability Type /tmp race condition Description GNAT's run-time library creates temporary files unsafely, leading to exploitable race conditions. creates files in the current directory without retrying with a different name if the generated random filename already exists. Proposed Solution Replace calls to or with where available. Patch for GNAT 3.14p: Link More substantial changes are needed for previous versions. Contact Status Ada Core Technologies was contacted on 2000-04-16. About RUS-CERT RUS-CERT is the Computer Emergency Response Team at the University of Stuttgart, Germany.