|Summary:||net-misc/cfengine: insecure temporary file use|
|Product:||Gentoo Security||Reporter:||Thierry Carrez (RETIRED) <koon>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||C3 [noglsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Thierry Carrez (RETIRED) 2005-10-02 04:17:53 UTC
From Debian Security Advisory DSA 836-1 CVE ID : CAN-2005-2960 Javier Fern
Comment 1 Thierry Carrez (RETIRED) 2005-10-02 04:17:53 UTC
From Debian Security Advisory DSA 836-1 CVE ID : CAN-2005-2960 Javier Fernández-Sanguino Peña discovered insecure temporary file use in cfengine2, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-02 10:19:25 UTC
Lance/Kurt please verify and advise.
Comment 3 Lance Albertson (RETIRED) 2005-10-02 10:35:41 UTC
Hrm.. I looked into it and couldn't find much information about it and the fix. I just emailed the cfengine list to get some more feedback on the issue. In the meantime, I did notice they had a newer version of cfengine out that I hadn't bumped yet. I'll see about bumping that (even though there is no mention about a security fix in the changelog).
Comment 4 Lance Albertson (RETIRED) 2005-10-03 06:27:50 UTC
I started the thread  on the cfengine mailing list and I got two reponses back. The first  one went into detail about the actual vuln being a third-party script thats called vicf. Some of the older ebuilds used to include this because it was in the contrib folder. The latest ebuilds I have in portage right now shouldn't include that script. The second  reply was from the actual author of cfengine basically saying the same thing. My call is that this shouldn't be a problem since I don't include those scripts anymore. I just double checked and I just removed the ebuilds that used to have that file included a few days ago. If anyone hadn't updated cfengine in the last say.. 2-3 months, they may be vuln to this exploit. But this exploit is only if they use the third party scripts. Let me know if you need more information.  http://thread.gmane.org/gmane.comp.sysutils.cfengine.general/6713  http://article.gmane.org/gmane.comp.sysutils.cfengine.general/6715  http://article.gmane.org/gmane.comp.sysutils.cfengine.general/6717
Comment 5 Thierry Carrez (RETIRED) 2005-10-03 06:40:14 UTC
OK, we'll consider this one fixed in recent versions, and not worth a GLSA (obscure contrib script). Thanks for investigating this. Security: feel free to reopen if you disagree.