Bug 246013 (CVE-2008-4953)

Comment 1 Stefan Behte (RETIRED) 2008-11-07 22:01:37 UTC

http://dev.gentoo.org/~rbu/security/debiantemp/firehol
I did not test 1.273, because it wont let me ebuild ... unpack it (EAPI issues), but the other versions are vuln.

There won't be a vendor-supplied fix and the package has no maintainer. Shall we remove it?!

Comment 2 Robert Buchholz (RETIRED) 2009-01-06 22:27:30 UTC

Kerin and Gordon seem to have some interest in the program, and considering this has an almost zero attack vector, I would no go for removal.

I'll attach a patch, can someone else please review, and are you guys able to test this? Thanks.

Comment 3 Robert Buchholz (RETIRED) 2009-01-06 22:28:51 UTC

Created attachment 177606 [details, diff]
0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch

Comment 4 Gordon Malm (RETIRED) 2009-01-08 23:19:57 UTC

I'm unable to test as I don't use it.  I just bumped it @ Kerin's request because he provided the bump, I trust his work is always quality and he's a great help/contributor.

Comment 5 Stefan Behte (RETIRED) 2009-01-08 23:56:13 UTC

The patch looks good.
Read to vote, I vote NO.

Comment 6 Robert Buchholz (RETIRED) 2009-01-09 00:17:27 UTC

Let's get this tested, committed and stable first :-)

Comment 7 Stefan Behte (RETIRED) 2009-01-10 00:41:48 UTC

I thought that we could do parallel voting and testing/commiting/stabling, I should have changed to [ebuild/glsa?] though.

Comment 8 Gordon Malm (RETIRED) 2009-03-26 23:43:34 UTC

Kerin.. have any interest in testing this patch?

Re: Comment 2 - Thanks for your consideration and for the patch.

Re: Comment 8 - Yes, especially as I have recently re-instated my Linux-based gateway after a protracted hiatus caused by a change of ISP and hardware-related matters. As such, I have just applied the patch to a newer version which I am currently using (1.286) and it works as expected. Duly, it gets the thumbs up from these quarters!

Comment 10 Robert Buchholz (RETIRED) 2009-07-15 16:06:20 UTC

+*firehol-1.273-r1 (15 Jul 2009)
+
+  15 Jul 2009; Robert Buchholz <rbu@gentoo.org>
+  +files/firehol-1.273-CVE-2008-4953.patch, +firehol-1.273-r1.ebuild:
+  Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch
+  tested by Kerin Millar, thanks. Fixes bug 246013.
+

Comment 11 Robert Buchholz (RETIRED) 2009-07-15 16:06:55 UTC

Arches, please test and mark stable:
=net-firewall/firehol-1.273-r1
Target keywords : "x86"

Comment 12 Christian Faulhammer (RETIRED) 2009-07-16 08:03:16 UTC

x86 stable

Please target amd64 also.

Comment 14 Robert Buchholz (RETIRED) 2009-07-16 12:17:41 UTC

Kerin, the ebuild has not been stable on amd64 before. It is therefore against our (security's) policy to request stabling.
I fully agree the package should also have a stable on amd64, but it should be done in accordance with the regular time lines (i.e. 30 days after being in the tree, no open bugs). Please open a bug around August 15 to request stabling of this version on amd64. Feel free to put me in cc on that bug if there's any issue.

Comment 15 Robert Buchholz (RETIRED) 2009-07-16 12:18:57 UTC

glsa vote: i vote NO as the $RANDOM-$RANDOM makes success of an attack highly unlikely. CVE is disputed for this reason.

Comment 16 Alex Legler (RETIRED) 2009-07-16 12:26:47 UTC

Craig's NO in comment 5, my NO here. Closing.