Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 240576 (CVE-2008-4579)

Summary: sys-cluster/fence-2.02.00-r1 symlink vulnerability (CVE-2008-{4579,4580})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jaak
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.comp.security.oss.general/1047/focus=1050
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-08 19:46:26 UTC
/usr/sbin/fence_apc logs to /tmp/apclog, if you use verbose mode:
./fence_apc -v -l foo -p bar -n 1 -a 192.168.0.1
it will write into that file.

if you
a) link to /etc/passwd
b) redirect the connection (e.g. arp-spoof, dns-spoof)
you can do this on the host you redirected to:
echo "hacked::0:0:root:/root:/bin/bash" | nc -l -p 23
And the account will be appened in /etc/passwd.
Honestly I doubt that will ever happen in reality, but it's possible.

http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=blob_plain;f=fence/agents/apc/fence_apc.py;hb=HEAD
seems to be a completely updated version.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 03:42:12 UTC
http://www.openwall.com/lists/oss-security/2008/10/13/3
Seems there is also a hole in fence_manual / fence_ack_manual fifo handling, it's a different bug, but I guess we can fix both in this bug #.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 03:43:54 UTC
CVE-2008-4579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4579):
  The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
  fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
  allows local users to append to arbitrary files via a symlink attack
  on the apclog temporary file.

CVE-2008-4580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4580):
  fence_manual in fence allows local users to modify arbitrary files
  via a symlink attack on the fence_manual.fifo temporary file.

Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-10 16:10:17 UTC
ha-cluster: *ping*
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-09 19:29:23 UTC
ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm whether this issue is fixed in your newer ebuilds?
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-09 15:32:03 UTC
(In reply to comment #4)
> ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm
> whether this issue is fixed in your newer ebuilds?
> 

Thanks!

I found this at the Debian bugtracker:

   * New upstream release version 2.03.09.
     - Upstream code audit fixes several tmpfile race conditions, among
       them CVE-2008-4579 and CVE-2008-4580. (Closes: #496410)

We have that version in the tree, stabled, old versions are removed. 
So, GLSA voting time!
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:01:28 UTC
Ready to vote, I vote YES.
What about you, a3li? ;)
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 11:03:03 UTC
YES, filed
Comment 8 Jaak Ristioja 2010-07-23 08:54:36 UTC
There is no sys-cluster/fence in portage any more.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-29 20:52:33 UTC
GLSA 201009-09, thanks everyone.