Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 246013 (CVE-2008-4953)

Summary: <net-firewall/firehol-1.273-r1 symlink attack (CVE-2008-4953)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gengor, kfm, maintainer-needed
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 235770    
Attachments:
Description Flags
0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch none

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 21:58:33 UTC
CVE-2008-4953 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4953):
  ** DISPUTED **  firehol in firehol 1.256 allows local users to
  overwrite arbitrary files via a symlink attack on (1)
  /tmp/.firehol-tmp-#####-*-* and (2) /tmp/firehol.conf temporary
  files.  NOTE: the vendor disputes this vulnerability, stating that an
  attack "would require an attacker to create 1073741824*PID-RANGE
  symlinks."
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 22:01:37 UTC
http://dev.gentoo.org/~rbu/security/debiantemp/firehol
I did not test 1.273, because it wont let me ebuild ... unpack it (EAPI issues), but the other versions are vuln.

There won't be a vendor-supplied fix and the package has no maintainer. Shall we remove it?!

Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-06 22:27:30 UTC
Kerin and Gordon seem to have some interest in the program, and considering this has an almost zero attack vector, I would no go for removal.

I'll attach a patch, can someone else please review, and are you guys able to test this? Thanks.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-01-06 22:28:51 UTC
Created attachment 177606 [details, diff]
0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch
Comment 4 Gordon Malm (RETIRED) gentoo-dev 2009-01-08 23:19:57 UTC
I'm unable to test as I don't use it.  I just bumped it @ Kerin's request because he provided the bump, I trust his work is always quality and he's a great help/contributor.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-08 23:56:13 UTC
The patch looks good.
Read to vote, I vote NO.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-01-09 00:17:27 UTC
Let's get this tested, committed and stable first :-)
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-10 00:41:48 UTC
I thought that we could do parallel voting and testing/commiting/stabling, I should have changed to [ebuild/glsa?] though.
Comment 8 Gordon Malm (RETIRED) gentoo-dev 2009-03-26 23:43:34 UTC
Kerin.. have any interest in testing this patch?
Comment 9 Kerin Millar 2009-03-29 05:51:22 UTC
Re: Comment 2 - Thanks for your consideration and for the patch.

Re: Comment 8 - Yes, especially as I have recently re-instated my Linux-based gateway after a protracted hiatus caused by a change of ISP and hardware-related matters. As such, I have just applied the patch to a newer version which I am currently using (1.286) and it works as expected. Duly, it gets the thumbs up from these quarters!
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 16:06:20 UTC
+*firehol-1.273-r1 (15 Jul 2009)
+
+  15 Jul 2009; Robert Buchholz <rbu@gentoo.org>
+  +files/firehol-1.273-CVE-2008-4953.patch, +firehol-1.273-r1.ebuild:
+  Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch
+  tested by Kerin Millar, thanks. Fixes bug 246013.
+
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 16:06:55 UTC
Arches, please test and mark stable:
=net-firewall/firehol-1.273-r1
Target keywords : "x86"
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-16 08:03:16 UTC
x86 stable
Comment 13 Kerin Millar 2009-07-16 12:08:57 UTC
Please target amd64 also.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 12:17:41 UTC
Kerin, the ebuild has not been stable on amd64 before. It is therefore against our (security's) policy to request stabling.
I fully agree the package should also have a stable on amd64, but it should be done in accordance with the regular time lines (i.e. 30 days after being in the tree, no open bugs). Please open a bug around August 15 to request stabling of this version on amd64. Feel free to put me in cc on that bug if there's any issue.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 12:18:57 UTC
glsa vote: i vote NO as the $RANDOM-$RANDOM makes success of an attack highly unlikely. CVE is disputed for this reason.
Comment 16 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-16 12:26:47 UTC
Craig's NO in comment 5, my NO here. Closing.