159580 – net-im/ejabberd: Unspecified vuln + Insecure /tmp file usage.

Bug 159580 - net-im/ejabberd: Unspecified vuln + Insecure /tmp file usage.

Summary: net-im/ejabberd: Unspecified vuln + Insecure /tmp file usage.

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B? [noglsa] Falco
Keywords:

Duplicates (2):	168597 182159 (view as bug list)
Depends on:
Blocks:

Reported:	2006-12-31 08:36 UTC by Vic Fryzel (shellsage) (RETIRED)
Modified:	2007-07-11 20:10 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vic Fryzel (shellsage) (RETIRED) gentoo-dev

2006-12-31 08:36:44 UTC

The file net-im/ejabberd/files/self-cert.sh distributed with the ejabberd ebuild makes insecure use of files in /tmp.  If the file /tmp/privkey.pem were to exist as a symlink prior to a cert being generated (ejabberd being installed), the overwriting of arbitrary files on the filesystem would be possible.  Please first create this file with either the tempfile or mktemp commands.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-01-06 12:48:30 UTC

net-im please advise.

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-13 12:06:03 UTC

see http://secunia.com/advisories/24075/

net-im or humpback, please advise : 1.1.3 fixes this unspecified issue, + patch needed for the /tmp thing. Thanks in advance

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2007-02-27 16:31:58 UTC

*** Bug 168597 has been marked as a duplicate of this bug. ***

Comment 4 Gustavo Felisberto (RETIRED) gentoo-dev

2007-02-27 17:40:58 UTC

I am incorrectly listed as maintainer.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2007-02-27 20:31:38 UTC

bumped to version 1.1.3, x86 please test and stable.

there are problems with the init script, but these seem to be known (as described in http://gentoo-wiki.com/Ejabberd), cant be bothered to fix them during a security bump.

The /tmp stuff should be fixed, as we use a new version of the script which does not use temporary stuff. the unknown vulnerability looks like an SQL injection.

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2007-02-28 07:51:03 UTC

(In reply to comment #5)
> there are problems with the init script, but these seem to be known (as
> described in http://gentoo-wiki.com/Ejabberd), cant be bothered to fix them
> during a security bump.

 The path to the beam binary was hardcoded to a moving target.  Every erlang version changes the path name due to version bumps, but some time ago I added a symlink to erlang's ebuild to have it in /usr/bin/.  Initscript has been adjusted and also a useless dodoc entry removed. x86 stable.

Comment 7 Stefan Cornelius (RETIRED) gentoo-dev

2007-02-28 18:15:10 UTC

glsa vote ... given that only x86 was stable and that i expect only very few installations, i tend to say no here

Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev

2007-03-05 21:05:43 UTC

kinda tending to vote yes

Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 22:31:43 UTC

ejabberd? I would say it's probably used on a few boxes... But i would say "no" too because of the lower impact + of the low number of installations. The temp issue can only been triggered during emerge. The second issue is "unspecified".

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-03-09 23:01:08 UTC

I agree with Falco and Dercorny, it's a marginal software, so I tend to vote no.

Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev

2007-03-12 16:10:48 UTC

closing without glsa then

Comment 12 Stefan Cornelius (RETIRED) gentoo-dev

2007-07-11 20:10:55 UTC

*** Bug 182159 has been marked as a duplicate of this bug. ***