Hello, Look at : cts/CTStests.py.in 873 fstmpfile = "/tmp/band_estimate" 874 dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \ 875 % (port, fstmpfile); 1076 self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1") 1077 if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"): 1078 line = open("/tmp/drbd").readlines()[2] 1113 if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0: 1114 self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp") 1115 lines=open("/tmp/drbdconf","r") Also in : heartbeat/lib/BasicSanityCheck.in 46 LOGFILE=/tmp/linux-ha.testlog This file contain a lot off actions on the insecure tmp file. Also in : lib/stonith/meatclient.c 58 const char * meatpipe_pr = "/tmp/.meatware"; 101 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost); Regards.
(In reply to comment #0) > cts/CTStests.py.in > > 873 fstmpfile = "/tmp/band_estimate" > 874 dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \ > 875 % (port, fstmpfile); confirmed, insecure temp file handling. > 1076 self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1") > 1077 if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"): > 1078 line = open("/tmp/drbd").readlines()[2] confirmed, second order symlink attack. > 1113 if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0: > 1114 self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp") > 1115 lines=open("/tmp/drbdconf","r") confirmed, second order symlink attack via scp. > heartbeat/lib/BasicSanityCheck.in > > 46 LOGFILE=/tmp/linux-ha.testlog confirmed, second order again. > lib/stonith/meatclient.c > > 58 const char * meatpipe_pr = "/tmp/.meatware"; > 101 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost); > > Regards. confirmed, looks like it needs some O_EXCL goodness line ~103.
Eric, please tell us when upstream is advised...
Hello, Vendor informed. Regards.
Leaked by Secunia, SA16039
Pulling in maintainer
Cluster, please provide an updated ebuild.
can someone please test and commit this pack-of-debian-security-patches [1] to 1.2.3? i have no heartbeat installations currently. [1] http://dev.gentoo.org/~voxus/stuff/heartbeat-1.2.3-debian_security_fixes. patch
reply to #7: sure, I'll test it.
reply to #8: do they work and if yes, do you want to commit them?
heartbeat-1.2.3-r1 is on cvs (with the suggested fix), but it's not marked stable. Security Team please review it and mark it stable (almost on x86 as the previous one).
x86 please test and mark stable.
x86 testers, or cluster herd: could you test and mark stable on x86 ?
The patch works fine but I've found another problem. LVM scripts in heartbeat doesn't works fine with LVM2, the patch fixes also this behaviour but we haven't /sbin/lvmiopversion util (from lvm-common) in the portage. So, I've splitted the patch and marked stable the -r1 ebuild with the security fix and I've added another ebuild (-r2) with an experimental LVM2 fix.
Please don't close security bugs, we'll do it when we are finished with them. Security: please vote on GLSA need. I don't know what to vote, on one hand, those are probably root-executed scripts, on the other, heartbeat is not something you often find on multiuser setups... I guess I vote half-yes...
Half YES from me as well.
weak YES also
OK, let's make that a full yes.
GLSA 200508-05