438446 – (CVE-2012-4517) <sys-fabric/ibacm-1.0.8: Two Denial of Service (CVE-2012-{4517,4518})

Bug 438446 (CVE-2012-4517) - <sys-fabric/ibacm-1.0.8: Two Denial of Service (CVE-2012-{4517,4518})

Summary: <sys-fabric/ibacm-1.0.8: Two Denial of Service (CVE-2012-{4517,4518})

Status:	RESOLVED FIXED

Alias:	CVE-2012-4517

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2012-10-15 08:41 UTC by Agostino Sarubbo
Modified:	2016-06-30 08:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-10-15 08:41:51 UTC

From oss-security:

Issue #2 ibacm - DoS (ib_acm deamon crash) by joining responses for multicast destinations:
===========================================================================================
  A denial of service flaw was found in the way ibacm, an InfiniBand communication manager
assistant, performed management of reference counts for multicast connections. The default
reference count value for multicast connection is set to zero and when the multicast connection
got released, an attempt was made to free it, possibly resulting in ib_acm service / daemon
crash.

References: https://bugzilla.redhat.com/show_bug.cgi?id=865492
Relevant upstream patch: http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=c7d28b35d64333c262de3ec972c426423dadccf9

Issue previously corrected by upstream and its security implications pointed out later
by Florian Weimer of Red Hat Product Security Team.

Issue #3 ibacm - ib_acm service files created with world writable permissions (DoS):
====================================================================================
  A security flaw was found in the way ibacm, an InfiniBand communication manager
assistant, created files used by ib_acm service - they were created with world
writable permissions. A local attacker could use this flaw to 1) overwrite content
of ib_acm daemon log file or 2) overwrite content of ib_acm daemon ibacm.port file
(ability to mask certain actions or cause ib_acm to run on non-default port).

References: https://bugzilla.redhat.com/show_bug.cgi?id=865499
Relevant upstream patch: http://git.openfabrics.org/git?p=~shefty/ibacm.git;a=commit;h=d204fca2b6298d7799e918141ea8e11e7ad43cec

Credit: This issue was discovered by Florian Weimer of Red Hat Product Security Team.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-10-23 20:22:14 UTC

CVE-2012-4518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4518):
  ibacm 1.0.7 creates files with world-writable permissions, which allows
  local users to overwrite the ib_acm daemon log or ibacm.port file.

CVE-2012-4517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4517):
  ibacm before 1.0.6 does not properly manage reference counts for multicast
  connections, which allows remote attackers to cause a denial of service
  (ibacm service crash) via a crafted join response.

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 17:45:15 UTC

1.0.8 seems to be available. Bump required.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-03-01 10:12:32 UTC

1.0.8 is in tree.  @maintainers, please cleanup vulnerable version 1.0.7 in tree.  Once complete feel free to close this bug.  GLSA Vote: No

Comment 4 Alexey Shvetsov archtester

2016-06-30 07:41:09 UTC

Old versions removed from tree

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 08:12:12 UTC

(In reply to Alexey Shvetsov from comment #4)
> Old versions removed from tree

Thanks so much, Alexey!