104986 2005-09-06 02:38 0000 app-backup/bacula <= 1.34.4 multiple vulnerabilities 2005-10-19 10:44:37 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED C3 [noglsa] jaervosz P2 minor --- 1 zataz@zataz.net security@gentoo.org app-backup@gentoo.org fserb@gentoo.org hadfield@gentoo.org zataz@zataz.net 2005-09-06 02:38:28 0000 Hello, * Take a look on : autoconf/randpass This file is used by configure and autoconf/configure.in to generate random password. 11 tmp=/tmp/p.tmp.$$ 12 cp autoconf/randpass.bc $tmp 13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp 14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp 15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp 16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp 17 echo "quit" >>$tmp 18 bc $tmp | awk -f autoconf/randpass.awk 19 rm $tmp They are 2 troubles, symlink attack (race condition) and password revelation to unstruted user (race condition). * Take a look at : rescue/linux/getdiskinfo Create bootstrap information files -- prelude to creating a Bacula Rescue Disk 192 cat >mount_drives <<END_OF_DATA 193 #!/bin/sh 194 # 195 # Mount disk drives -- created by getdiskinfo 196 # 197 END_OF_DATA 198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p' $di/mount.ext2.bsi >>mount_drives 199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p' $di/mount.ext3.bsi >>mount_drives 200 echo "#" >>mount_drives 201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p' $di/mount.ext2.bsi >/tmp/1$$ 202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p' $di/mount.ext3.bsi >>/tmp/1$$ 203 # sort so that root is mounted first 204 sort -k 3 </tmp/1$$ >>mount_drives 205 rm -f /tmp/1$$ 206 207 chmod 755 mount_drives 208 209 # copy sfdisk so we will have it 210 cp -f /sbin/sfdisk . 211 echo "Done building scripts." 212 echo " " 213 echo "You might want to do a:" 214 echo " " 215 echo "chown -R uuuu:gggg *" 216 echo " " 217 echo "where uuuu is your userid and gggg is your group" 218 echo "so that you can access all the files as non-root" 219 echo " " They are two troubles, symlink attack (race condition) and possible execution off executing arbitrary commands with users privileges (race condition) * Take a look at : scripts/mtx-changer.in Bacula interface to mtx autoloader 117 loaded) 118 ${MTX} -f $ctl status >/tmp/mtx.$$ 119 rtn=$? 120 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}" 121 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}" 122 rm -f /tmp/mtx.$$ 123 exit $rtn 124 ;; symlink attack (race condition) possible * Also we got this variable in a lot off script : working_directory = "/tmp"; Upstream should check the usage off this variable. Regards. taviso@gentoo.org 2005-09-13 04:06:01 0000 (In reply to comment #0) > Hello, > > * Take a look on : autoconf/randpass > ... This would only be exploitable on systems that dont have an openssl command, so not many systems would be effected, nevertheless, it could potentially be an issue. Suggest adding a dependency on openssl. > * Take a look at : rescue/linux/getdiskinfo This file does not appear to be installed, and therefore is invalid. > > * Take a look at : scripts/mtx-changer.in Yes, I dont see why a temporary file is needed here, this could be done in a single pipeline. > > * Also we got this variable in a lot off script : > > working_directory = "/tmp"; > > Upstream should check the usage off this variable. > Perhaps, I'll leave that to security team/maintainers to decide. zataz@zataz.net 2005-09-13 04:23:15 0000 >> Hello, >> >> * Take a look on : autoconf/randpass >> ... > This would only be exploitable on systems that dont have an openssl command, so > not many systems would be effected, nevertheless, it could potentially be an > issue. Suggest adding a dependency on openssl. ... Why openssl ? ... Regards taviso@gentoo.org 2005-09-13 04:45:55 0000 because it's only used if openssl isnt available. koon@gentoo.org 2005-09-17 05:42:59 0000 eric: where do we stand here ? upstream warned ? zataz@zataz.net 2005-09-19 01:46:28 0000 Hello, Reported into bacula bug system. http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422 Regards. koon@gentoo.org 2005-09-20 07:00:31 0000 Now public. Version 1.37.39 is out and fixes the issue. Maintainers: please bump. koon@gentoo.org 2005-09-23 13:29:22 0000 CCing herd as maintainers don't answer... hunter.cook@tranquility.net 2005-10-03 17:51:33 0000 Is this a major issue? I just installed bacula and was about to configure it to backup a pretty important server over the public Internet....is that a bad idea with this version? I just installed 1.34.4 because that's what's marked stable right now, and I hadn't seen this yet. Also, how is bacula-1.36.3-r1 in comparison? Is it stable? I see the reference to 1.37.39 above...seems like we're a bit behind. Are there other vulnerabilities that 1.36.3 still has problems with? koon@gentoo.org 2005-10-04 00:50:05 0000 These are both local attacks, meaning the attacker needs to get access to the system (and be free to execute code on it). So if you don't have local users on the platform you use Bacula on, that's not such a bug deal. jaervosz@gentoo.org 2005-10-06 08:12:44 0000 app-backup please bump. dragonheart@gentoo.org 2005-10-06 14:05:19 0000 bacula-1.36.3-r2 added that fixes the vulnerability. Romang thankyou add please check. FYI: 1.37* is the unstable beta version jaervosz@gentoo.org 2005-10-06 14:09:54 0000 Nothing in CVS yet. jaervosz@gentoo.org 2005-10-06 14:15:30 0000 Ok, it is in now. Arches please test and mark stable. hansmi@gentoo.org 2005-10-07 11:06:49 0000 Stable on ppc and hppa. halcy0n@gentoo.org 2005-10-08 22:23:00 0000 x86 done koon@gentoo.org 2005-10-11 08:30:04 0000 Still misses sparc keyword... gustavoz@gentoo.org 2005-10-11 10:58:24 0000 sparc stable. koon@gentoo.org 2005-10-12 00:42:04 0000 Ready for GLSA vote, I vote NO since I can't think of a supported arch where openssl is not in system. jaervosz@gentoo.org 2005-10-12 01:00:52 0000 Voting NO and closing without GLSA. Romang thanks for reporting. dragonheart@gentoo.org 2005-10-13 14:17:36 0000 The password attack on tmp files is one of the situtations. The second one based on scripts/mtx-changer.in does exist on all platforms. The exploit to use the vulnerability occurs on configurations where there the tape backup unit requires manual tape switching. The exploitable times are between tape changes. I'm not sure if this is a sufficiently common configuration for a glsa or not. I'm not sure if users are often given access on machines where a tape-backup may be connected that may be an effective countermeasure. A few seconds for your consideration people. koon@gentoo.org 2005-10-14 00:26:46 0000 Thx for the details. I agree the second scenario is more likely and tends to be run as root, so now I tend to vote yes :) jaervosz@gentoo.org 2005-10-14 00:32:32 0000 Small YES vote from me too. taviso@gentoo.org 2005-10-15 01:56:12 0000 i would vote NO, seems a rare configuration. Also, cannot control output, so mainly useful for sabotage. koon@gentoo.org 2005-10-19 01:13:10 0000 Let's get this done, please cast your vote. dragonheart@gentoo.org 2005-10-19 01:45:06 0000 If I'm allowed to vote I'll say no based on Tavis's comments. jaervosz@gentoo.org 2005-10-19 10:44:37 0000 Reverting to NO vote and closing with NO GLSA. Feel free to reopen if you disagree.