First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 97175
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Romang <zataz@zataz.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 97175 depends on: Show dependency tree
Show dependency graph
Bug 97175 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-06-27 01:43 0000 
Hello,

Look at :

cts/CTStests.py.in

873         fstmpfile = "/tmp/band_estimate"
874         dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \
875         %               (port, fstmpfile);

1076             self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1")
1077             if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"):
1078                 line = open("/tmp/drbd").readlines()[2]

1113         if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0:
1114             self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp")
1115             lines=open("/tmp/drbdconf","r")

Also in :

heartbeat/lib/BasicSanityCheck.in

46 LOGFILE=/tmp/linux-ha.testlog

This file contain a lot off actions on the insecure tmp file.

Also in :

lib/stonith/meatclient.c

58         const char *    meatpipe_pr = "/tmp/.meatware";
101                 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost);

Regards.

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-07-05 06:09:22 0000 ------- 
(In reply to comment #0)
> cts/CTStests.py.in
> 
> 873         fstmpfile = "/tmp/band_estimate"
> 874         dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \
> 875         %               (port, fstmpfile);

confirmed, insecure temp file handling.

> 1076             self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1")
> 1077             if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"):
> 1078                 line = open("/tmp/drbd").readlines()[2]

confirmed, second order symlink attack.

> 1113         if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0:
> 1114             self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp")
> 1115             lines=open("/tmp/drbdconf","r")

confirmed, second order symlink attack via scp.

> heartbeat/lib/BasicSanityCheck.in
> 
> 46 LOGFILE=/tmp/linux-ha.testlog

confirmed, second order again.

> lib/stonith/meatclient.c
> 
> 58         const char *    meatpipe_pr = "/tmp/.meatware";
> 101                 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost);
> 
> Regards.

confirmed, looks like it needs some O_EXCL goodness line ~103.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-07-11 05:20:20 0000 ------- 
Eric, please tell us when upstream is advised...

------- Comment #3 From Romang 2005-07-12 00:29:50 0000 ------- 
Hello,

Vendor informed.

Regards.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-07-13 12:55:55 0000 ------- 
Leaked by Secunia, SA16039

------- Comment #5 From Thierry Carrez (RETIRED) 2005-07-18 05:27:01 0000 ------- 
Pulling in maintainer

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-07-18 23:55:18 0000 ------- 
Cluster, please provide an updated ebuild.

------- Comment #7 From Konstantin Arkhipov 2005-07-22 07:29:05 0000 ------- 
can someone please test and commit this pack-of-debian-security-patches [1] to 
1.2.3?

i have no heartbeat installations currently.

[1] http://dev.gentoo.org/~voxus/stuff/heartbeat-1.2.3-debian_security_fixes.
patch

------- Comment #8 From Christian Zoffoli 2005-07-23 07:28:00 0000 ------- 
reply to #7: 

sure, I'll test it.

------- Comment #9 From Michael Imhof 2005-07-28 14:52:29 0000 ------- 
reply to #8:

do they work and if yes, do you want to commit them?

------- Comment #10 From Christian Zoffoli 2005-07-28 17:27:21 0000 ------- 
heartbeat-1.2.3-r1 is on cvs (with the suggested fix), but it's not marked
stable.

Security Team please review it and mark it stable (almost on x86 as the
previous
one).

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-07-28 22:35:40 0000 ------- 
x86 please test and mark stable.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-07-31 04:40:27 0000 ------- 
x86 testers, or cluster herd: could you test and mark stable on x86 ?

------- Comment #13 From Christian Zoffoli 2005-08-01 06:35:23 0000 ------- 
The patch works fine but I've found another problem.

LVM scripts in heartbeat doesn't works fine with LVM2, the patch fixes also this
behaviour but we haven't /sbin/lvmiopversion util (from lvm-common) in the portage.

So, I've splitted the patch and marked stable the -r1 ebuild with the security
fix and I've added another ebuild (-r2) with an experimental LVM2 fix.

------- Comment #14 From Thierry Carrez (RETIRED) 2005-08-01 08:04:24 0000 ------- 
Please don't close security bugs, we'll do it when we are finished with them.
Security: please vote on GLSA need.

I don't know what to vote, on one hand, those are probably root-executed
scripts, on the other, heartbeat is not something you often find on multiuser
setups... I guess I vote half-yes...

------- Comment #15 From Sune Kloppenborg Jeppesen 2005-08-01 21:58:28 0000 ------- 
Half YES from me as well.

------- Comment #16 From Tavis Ormandy (RETIRED) 2005-08-05 00:34:23 0000 ------- 
weak YES also

------- Comment #17 From Thierry Carrez (RETIRED) 2005-08-05 00:37:00 0000 ------- 
OK, let's make that a full yes.

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-08-07 01:07:54 0000 ------- 
GLSA 200508-05
First Last Prev Next    No search results available      Search page      Enter new bug