Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264564 (CVE-2009-0115) - <sys-fs/multipath-tools-0.4.8-r1 World-writable socket (CVE-2009-0115)
Summary: <sys-fs/multipath-tools-0.4.8-r1 World-writable socket (CVE-2009-0115)
Status: RESOLVED FIXED
Alias: CVE-2009-0115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://download.opensuse.org/update/1...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-01 23:15 UTC by Robert Buchholz (RETIRED)
Modified: 2010-06-02 21:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-01 23:15:53 UTC
CVE-2009-0115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0115):
  multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
  Enterprise Server (SLES) 10 uses world-writable permissions for the
  socket file (aka /var/run/multipathd.sock), which allows local users
  to send arbitrary commands to the multipath daemon.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 20:10:00 UTC
base-system, ping
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-10-30 08:10:55 UTC
In 0.4.8-r1 (1.2) now, cleared for stable request (has some other fixes in it too).
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-30 10:36:51 UTC
Arches, please test and mark stable:
=sys-fs/multipath-tools-0.4.8-r1
Target keywords : "amd64 ppc ppc64 x86"
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-10-31 13:15:28 UTC
ppc64 done
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-03 19:25:24 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2009-11-04 11:11:24 UTC
amd64 stable
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2009-11-13 01:01:21 UTC
Marked ppc stable.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:42:08 UTC
GLSA vote: yes.
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-01-29 23:21:39 UTC
+1 vote as the maintainer. Anybody writing to the socket locally can cause SAN disks to go offline, potentially causing an entire OCFS2 cluster to fence/panic.
Comment 11 solar (RETIRED) gentoo-dev 2010-01-29 23:26:35 UTC
I've confirmed this problem exists in my production cluster. chmod o-rwx /var/run/multipath.sock works around it at runtime. But it's less then ideal.
Please fire off a GLSA for this to raise awareness.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-29 23:31:01 UTC
GLSA request filed.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:24:49 UTC
GLSA 201006-10