Description: Sam Couter has reported some vulnerabilities in FireHOL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to various temporary files being created insecurely. This can be exploited via symlink attacks to overwrite arbitrary files on the system with the privileges of a user running a vulnerable script. The vulnerabilities have been reported in version 1.214. Other versions may also be affected. Solution: Grant only trusted users access to affected systems.
Debian has a fix for this in unstable, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291680 The diff that Debian uses against plain 1.214 is available at http://ftp.debian.org/debian/pool/main/f/firehol/firehol_1.214-2.diff.gz This contains some additional Debian-Specifc changes.
Hi, I have released v1.224 to fix the issue. Thanks. Costa Tsaousis
centic, please bump.
There is some difference in the way version 1.224 tries to fix the problem compared to how debian did it. firehol-1.224: # Remove any old directories that might be there. if [ -d "${FIREHOL_DIR}" ] then "${RM_CMD}" -rf "${FIREHOL_DIR}" if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ] then echo >&2 echo >&2 echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'." echo >&2 exit 1 fi fi "${MKDIR_CMD}" -p "${FIREHOL_DIR}" || exit 1 "${MKDIR_CMD}" -p "${FIREHOL_CHAINS_DIR}" || exit 1 Debian: +#prevent symlink attacks +umask 077 +mkdir "${FIREHOL_DIR}" || (echo "Creating ${FIREHOL_DIR} failed. Please remove it if it already exists." ; exit 1) I'm not a security expert, therefore I would like to have some confirmation if the first way of solving this is apropriate. There seems to still be a slight chance of getting the directory created underneath between the rm and the mkdir, right? Additionally I also saw the following code in firehol.sh: KERNEL_CONFIG="/proc/config" ${CAT_CMD} /proc/config >/tmp/kcfg.$$ source /tmp/kcfg.$$ ${RM_CMD} -f /tmp/kcfg.$$ Isn't that another thing that can be exploited quite easily? Especially as there is a "source" of the temp-file?
Hi, I have changed the firehol temporary directory name to include the variable $RANDOM twice. I hope this will make the directory name completely unpredictable. I have also made sure FireHOL does not create any files outside its temporary directory (including the mentioned kcfg). All these in v1.225. Get it from http://firehol.sf.net/firehol.tar.gz I hope both these have solved all the threads of temporary file creation. If there are no other concerns, I'll release it asap. Costa
I also removed all -p from all mkdirs to make them fail if the directory already exists. In v1.226, same URL. Costa
centic: v 1.226 looks right to me. Please bump to that.
The complete package for 226 is not yet available, only one for 224. Therefore I have added Version 1.224 plus a patch that adds the diff from cvs of rev. 225 and 226.
x86: please test 1.224 and mark stable
Released v1.226. Thank you all. Costa
centic: if you tested on x86 please mark it stable.
Sorry for the delay, this is my first security-bug, so I am not sure which actions the developer should perform and what is done by the security team. 1.224 is marked stable on x86 now. I will upgrade to 1.226 with normal procedures as the proper security fix is contained in 1.224 already.
Thanks Dominik. If you have any questions wrt security bugs please join #gentoo-security or drop me a line. This one is ready for GLSA.
GLSA 200502-01 thanks everyone