First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 107871
Alias:
Product:
Component:
Status: RESOLVED
Resolution: WORKSFORME
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 107871 depends on: Show dependency tree
Bug 107871 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-10-02 04:17 0000 
From Debian Security Advisory DSA 836-1
CVE ID         : CAN-2005-2960

Javier Fern

------- Comment #1 From Thierry Carrez (RETIRED) 2005-10-02 04:17:53 0000 ------- 
From Debian Security Advisory DSA 836-1
CVE ID         : CAN-2005-2960

Javier Fernández-Sanguino Peña discovered insecure temporary file use
in cfengine2, a tool for configuring and maintaining networked
machines, that can be exploited by a symlink attack to overwrite
arbitrary files owned by the user executing cfengine, which is
probably root.

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-10-02 10:19:25 0000 ------- 
Lance/Kurt please verify and advise.

------- Comment #3 From Lance Albertson 2005-10-02 10:35:41 0000 ------- 
Hrm.. I looked into it and couldn't find much information about it and the fix.
I just emailed the cfengine list to get some more feedback on the issue. In the
meantime, I did notice they had a newer version of cfengine out that I hadn't
bumped yet. I'll see about bumping that (even though there is no mention about a
security fix in the changelog).

------- Comment #4 From Lance Albertson 2005-10-03 06:27:50 0000 ------- 
I started the thread [1] on the cfengine mailing list and I got two reponses
back. The first [2] one went into detail about the actual vuln being a
third-party script thats called vicf. Some of the older ebuilds used to include
this because it was in the contrib folder. The latest ebuilds I have in portage
right now shouldn't include that script. The second [3] reply was from the
actual author of cfengine basically saying the same thing.

My call is that this shouldn't be a problem since I don't include those scripts
anymore. I just double checked and I just removed the ebuilds that used to have
that file included a few days ago. If anyone hadn't updated cfengine in the last
say.. 2-3 months, they may be vuln to this exploit. But this exploit is only if
they use the third party scripts.

Let me know if you need more information.

[1] http://thread.gmane.org/gmane.comp.sysutils.cfengine.general/6713
[2] http://article.gmane.org/gmane.comp.sysutils.cfengine.general/6715
[3] http://article.gmane.org/gmane.comp.sysutils.cfengine.general/6717

------- Comment #5 From Thierry Carrez (RETIRED) 2005-10-03 06:40:14 0000 ------- 
OK, we'll consider this one fixed in recent versions, and not worth a GLSA
(obscure contrib script). Thanks for investigating this.

Security: feel free to reopen if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug