First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 240576
Alias:
Product:
Component:
Status: ASSIGNED
Resolution:
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Behte <craig@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 240576 depends on: Show dependency tree
Bug 240576 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-10-08 19:46 0000 
/usr/sbin/fence_apc logs to /tmp/apclog, if you use verbose mode:
./fence_apc -v -l foo -p bar -n 1 -a 192.168.0.1
it will write into that file.

if you
a) link to /etc/passwd
b) redirect the connection (e.g. arp-spoof, dns-spoof)
you can do this on the host you redirected to:
echo "hacked::0:0:root:/root:/bin/bash" | nc -l -p 23
And the account will be appened in /etc/passwd.
Honestly I doubt that will ever happen in reality, but it's possible.

http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=blob_plain;f=fence/agents/apc/fence_apc.py;hb=HEAD
seems to be a completely updated version.

------- Comment #1 From Stefan Behte 2008-10-19 03:42:12 0000 ------- 
http://www.openwall.com/lists/oss-security/2008/10/13/3
Seems there is also a hole in fence_manual / fence_ack_manual fifo handling,
it's a different bug, but I guess we can fix both in this bug #.

------- Comment #2 From Stefan Behte 2008-10-19 03:43:54 0000 ------- 
CVE-2008-4579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4579):
  The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
  fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
  allows local users to append to arbitrary files via a symlink attack
  on the apclog temporary file.

CVE-2008-4580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4580):
  fence_manual in fence allows local users to modify arbitrary files
  via a symlink attack on the fence_manual.fifo temporary file.

------- Comment #3 From Stefan Behte 2008-11-10 16:10:17 0000 ------- 
ha-cluster: *ping*

------- Comment #4 From Alex Legler 2009-03-09 19:29:23 0000 ------- 
ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm
whether this issue is fixed in your newer ebuilds?

------- Comment #5 From Alex Legler 2009-06-09 15:32:03 0000 ------- 
(In reply to comment #4)
> ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm
> whether this issue is fixed in your newer ebuilds?
> 

Thanks!

I found this at the Debian bugtracker:

   * New upstream release version 2.03.09.
     - Upstream code audit fixes several tmpfile race conditions, among
       them CVE-2008-4579 and CVE-2008-4580. (Closes: #496410)

We have that version in the tree, stabled, old versions are removed. 
So, GLSA voting time!

------- Comment #6 From Stefan Behte 2009-06-12 22:01:28 0000 ------- 
Ready to vote, I vote YES.
What about you, a3li? ;)

------- Comment #7 From Robert Buchholz 2009-07-10 11:03:03 0000 ------- 
YES, filed
First Last Prev Next    No search results available      Search page      Enter new bug