Comment 1 Tavis Ormandy (RETIRED) 2005-07-05 06:09:22 UTC

(In reply to comment #0)
> cts/CTStests.py.in
> 
> 873         fstmpfile = "/tmp/band_estimate"
> 874         dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \
> 875         %               (port, fstmpfile);

confirmed, insecure temp file handling.

> 1076             self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1")
> 1077             if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"):
> 1078                 line = open("/tmp/drbd").readlines()[2]

confirmed, second order symlink attack.

> 1113         if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0:
> 1114             self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp")
> 1115             lines=open("/tmp/drbdconf","r")

confirmed, second order symlink attack via scp.

> heartbeat/lib/BasicSanityCheck.in
> 
> 46 LOGFILE=/tmp/linux-ha.testlog

confirmed, second order again.

> lib/stonith/meatclient.c
> 
> 58         const char *    meatpipe_pr = "/tmp/.meatware";
> 101                 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost);
> 
> Regards.

confirmed, looks like it needs some O_EXCL goodness line ~103.

Comment 2 Thierry Carrez (RETIRED) 2005-07-11 05:20:20 UTC

Eric, please tell us when upstream is advised...

Hello,

Vendor informed.

Regards.

Comment 4 Thierry Carrez (RETIRED) 2005-07-13 12:55:55 UTC

Leaked by Secunia, SA16039

Comment 5 Thierry Carrez (RETIRED) 2005-07-18 05:27:01 UTC

Pulling in maintainer

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-18 23:55:18 UTC

Cluster, please provide an updated ebuild. 

Comment 7 Konstantin Arkhipov (RETIRED) 2005-07-22 07:29:05 UTC

can someone please test and commit this pack-of-debian-security-patches [1] to 
1.2.3?

i have no heartbeat installations currently.

[1] http://dev.gentoo.org/~voxus/stuff/heartbeat-1.2.3-debian_security_fixes.
patch

Comment 8 Christian Zoffoli (RETIRED) 2005-07-23 07:28:00 UTC

reply to #7: 

sure, I'll test it.

Comment 9 Michael Imhof (RETIRED) 2005-07-28 14:52:29 UTC

reply to #8:

do they work and if yes, do you want to commit them?

Comment 10 Christian Zoffoli (RETIRED) 2005-07-28 17:27:21 UTC

heartbeat-1.2.3-r1 is on cvs (with the suggested fix), but it's not marked stable.

Security Team please review it and mark it stable (almost on x86 as the previous
one).

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-28 22:35:40 UTC

x86 please test and mark stable. 

Comment 12 Thierry Carrez (RETIRED) 2005-07-31 04:40:27 UTC

x86 testers, or cluster herd: could you test and mark stable on x86 ?

Comment 13 Christian Zoffoli (RETIRED) 2005-08-01 06:35:23 UTC

The patch works fine but I've found another problem.

LVM scripts in heartbeat doesn't works fine with LVM2, the patch fixes also this
behaviour but we haven't /sbin/lvmiopversion util (from lvm-common) in the portage.

So, I've splitted the patch and marked stable the -r1 ebuild with the security
fix and I've added another ebuild (-r2) with an experimental LVM2 fix.

Comment 14 Thierry Carrez (RETIRED) 2005-08-01 08:04:24 UTC

Please don't close security bugs, we'll do it when we are finished with them.
Security: please vote on GLSA need.

I don't know what to vote, on one hand, those are probably root-executed
scripts, on the other, heartbeat is not something you often find on multiuser
setups... I guess I vote half-yes...

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-01 21:58:28 UTC

Half YES from me as well. 

Comment 16 Tavis Ormandy (RETIRED) 2005-08-05 00:34:23 UTC

weak YES also

Comment 17 Thierry Carrez (RETIRED) 2005-08-05 00:37:00 UTC

OK, let's make that a full yes.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-07 01:07:54 UTC

GLSA 200508-05