From ${URL} : It was reported on full-disclosure that ibutils suffers from improper use of files /tmp that could allow a user to clobber files as the user running ibutils (probably usually root). References: http://seclists.org/fulldisclosure/2013/Mar/87 https://bugzilla.redhat.com/show_bug.cgi?id=927430
I will update it ASAP to version from ofed-3.5.0
CVE-2013-2561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2561): OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary files via a symlink attack on (1) ibdiagnet.db, (2) ibdiagnet.fdbs, (3) ibdiagnet_ibis.log, (4) ibdiagnet.log, (5) ibdiagnet.lst, (6) ibdiagnet.mcfdbs, (7) ibdiagnet.pkey, (8) ibdiagnet.psl, (9) ibdiagnet.slvl, or (10) ibdiagnet.sm in /tmp/.
Old versions removed from tree
(In reply to Alexey Shvetsov from comment #3) > Old versions removed from tree Thanks. Still trying to track where the vulnerability was fixed. If I cannot find anything, I will try to replicate the symlink attack when I get a bit more time.
You may wanna wait a little bit. I'll add new versions that was released recently
(In reply to Alexey Shvetsov from comment #5) > You may wanna wait a little bit. I'll add new versions that was released > recently Well that is the issue. No information shows where the vulnerability was patched.
UPDATE: I've tried to replicate the same issue on ibutils-1.5.7-0.2.gbd7e502.tar.gz the result: -E- The following tile is write protected: /tmp/ibdiagnet.log Error message: "couldn't open "/tmp/ibdiagnet.log": permission denied" Exiting I've tested it on an arch vm which has the latest ibutils version, @Maintainers: could you please confirm if there is going to be a version bump since the package is masked right now?
The current package in Gentoo repository is still vulnerable. @ Maintainer(s): Please apply the following patch from Red Hat (https://salsa.debian.org/hpc-team/ibutils/blob/master/debian/patches/do_not_use_tmp.patch) which changes ibutils default tmp path to /var/cache/ibutils which can be locked down.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03325ebfa6d282818310103f8ce387bc5f2965c1 commit 03325ebfa6d282818310103f8ce387bc5f2965c1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-12-01 20:26:22 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-12-01 20:59:54 +0000 package.mask: Last rite sys-fabric/ibutils Bug: https://bugs.gentoo.org/463338 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
The package is now gone.
