Csync2 Insecure Temporary Directory Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Csync2, a cluster synchronization tool, when compiled with C99 or later. The issue arises from the use of insecure temporary directories for storing intermediate results, which creates a vulnerability to local denial-of-service attacks. This problem is caused by a faulty autotools macro that fails to properly detect the presence of the secure 'mkstemp' function, leading to the use of unsafe temporary file handling.

Impact

Exploitation of this vulnerability can lead to local denial-of-service conditions, causing the application to become unresponsive or unavailable.

Reproduction

To reproduce this vulnerability, compile Csync2 with C99 or later. The faulty autotools macro will incorrectly indicate that 'mkstemp' is unavailable, allowing the application to use insecure temporary directories. Once compiled, the vulnerability can be exploited by creating a scenario that takes advantage of the insecure temporary file handling, leading to a denial-of-service condition.

Remediation

The vulnerability can be addressed by modifying the 'configure.ac' file to include a proper return type for the 'main' function in the 'AC_TRY_RUN' check for secure 'mkstemp' availability. This adjustment will allow the autotools macro to correctly detect 'mkstemp', preventing the use of insecure temporary directories.