Summary: | app-backup/bacula <= 1.34.4 multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | app-backup, fserb, hadfield |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C3 [noglsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Romang
2005-09-06 02:38:28 UTC
(In reply to comment #0) > Hello, > > * Take a look on : autoconf/randpass > ... This would only be exploitable on systems that dont have an openssl command, so not many systems would be effected, nevertheless, it could potentially be an issue. Suggest adding a dependency on openssl. > * Take a look at : rescue/linux/getdiskinfo This file does not appear to be installed, and therefore is invalid. > > * Take a look at : scripts/mtx-changer.in Yes, I dont see why a temporary file is needed here, this could be done in a single pipeline. > > * Also we got this variable in a lot off script : > > working_directory = "/tmp"; > > Upstream should check the usage off this variable. > Perhaps, I'll leave that to security team/maintainers to decide. >> Hello, >> >> * Take a look on : autoconf/randpass >> ... > This would only be exploitable on systems that dont have an openssl command, so > not many systems would be effected, nevertheless, it could potentially be an > issue. Suggest adding a dependency on openssl. ... Why openssl ? ... Regards because it's only used if openssl isnt available. eric: where do we stand here ? upstream warned ? Hello, Reported into bacula bug system. http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422 Regards. Now public. Version 1.37.39 is out and fixes the issue. Maintainers: please bump. CCing herd as maintainers don't answer... Is this a major issue? I just installed bacula and was about to configure it to backup a pretty important server over the public Internet....is that a bad idea with this version? I just installed 1.34.4 because that's what's marked stable right now, and I hadn't seen this yet. Also, how is bacula-1.36.3-r1 in comparison? Is it stable? I see the reference to 1.37.39 above...seems like we're a bit behind. Are there other vulnerabilities that 1.36.3 still has problems with? These are both local attacks, meaning the attacker needs to get access to the system (and be free to execute code on it). So if you don't have local users on the platform you use Bacula on, that's not such a bug deal. app-backup please bump. bacula-1.36.3-r2 added that fixes the vulnerability. Romang thankyou add please check. FYI: 1.37* is the unstable beta version Nothing in CVS yet. Ok, it is in now. Arches please test and mark stable. Stable on ppc and hppa. x86 done Still misses sparc keyword... sparc stable. Ready for GLSA vote, I vote NO since I can't think of a supported arch where openssl is not in system. Voting NO and closing without GLSA. Romang thanks for reporting. The password attack on tmp files is one of the situtations. The second one based on scripts/mtx-changer.in does exist on all platforms. The exploit to use the vulnerability occurs on configurations where there the tape backup unit requires manual tape switching. The exploitable times are between tape changes. I'm not sure if this is a sufficiently common configuration for a glsa or not. I'm not sure if users are often given access on machines where a tape-backup may be connected that may be an effective countermeasure. A few seconds for your consideration people. Thx for the details. I agree the second scenario is more likely and tends to be run as root, so now I tend to vote yes :) Small YES vote from me too. i would vote NO, seems a rare configuration. Also, cannot control output, so mainly useful for sabotage. Let's get this done, please cast your vote. If I'm allowed to vote I'll say no based on Tavis's comments. Reverting to NO vote and closing with NO GLSA. Feel free to reopen if you disagree. |