|Summary:||<net-firewall/firehol-1.273-r1 symlink attack (CVE-2008-4953)|
|Product:||Gentoo Security||Reporter:||Stefan Behte (RETIRED) <craig>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||minor||CC:||gengor, kfm, maintainer-needed|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Stefan Behte (RETIRED) 2008-11-07 21:58:33 UTC
CVE-2008-4953 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4953): ** DISPUTED ** firehol in firehol 1.256 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/.firehol-tmp-#####-*-* and (2) /tmp/firehol.conf temporary files. NOTE: the vendor disputes this vulnerability, stating that an attack "would require an attacker to create 1073741824*PID-RANGE symlinks."
Comment 1 Stefan Behte (RETIRED) 2008-11-07 22:01:37 UTC
http://dev.gentoo.org/~rbu/security/debiantemp/firehol I did not test 1.273, because it wont let me ebuild ... unpack it (EAPI issues), but the other versions are vuln. There won't be a vendor-supplied fix and the package has no maintainer. Shall we remove it?!
Comment 2 Robert Buchholz (RETIRED) 2009-01-06 22:27:30 UTC
Kerin and Gordon seem to have some interest in the program, and considering this has an almost zero attack vector, I would no go for removal. I'll attach a patch, can someone else please review, and are you guys able to test this? Thanks.
Comment 3 Robert Buchholz (RETIRED) 2009-01-06 22:28:51 UTC
Created attachment 177606 [details, diff] 0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch
Comment 4 Gordon Malm (RETIRED) 2009-01-08 23:19:57 UTC
I'm unable to test as I don't use it. I just bumped it @ Kerin's request because he provided the bump, I trust his work is always quality and he's a great help/contributor.
Comment 5 Stefan Behte (RETIRED) 2009-01-08 23:56:13 UTC
The patch looks good. Read to vote, I vote NO.
Comment 6 Robert Buchholz (RETIRED) 2009-01-09 00:17:27 UTC
Let's get this tested, committed and stable first :-)
Comment 7 Stefan Behte (RETIRED) 2009-01-10 00:41:48 UTC
I thought that we could do parallel voting and testing/commiting/stabling, I should have changed to [ebuild/glsa?] though.
Comment 8 Gordon Malm (RETIRED) 2009-03-26 23:43:34 UTC
Kerin.. have any interest in testing this patch?
Comment 9 Kerin Millar 2009-03-29 05:51:22 UTC
Re: Comment 2 - Thanks for your consideration and for the patch. Re: Comment 8 - Yes, especially as I have recently re-instated my Linux-based gateway after a protracted hiatus caused by a change of ISP and hardware-related matters. As such, I have just applied the patch to a newer version which I am currently using (1.286) and it works as expected. Duly, it gets the thumbs up from these quarters!
Comment 10 Robert Buchholz (RETIRED) 2009-07-15 16:06:20 UTC
+*firehol-1.273-r1 (15 Jul 2009) + + 15 Jul 2009; Robert Buchholz <firstname.lastname@example.org> + +files/firehol-1.273-CVE-2008-4953.patch, +firehol-1.273-r1.ebuild: + Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch + tested by Kerin Millar, thanks. Fixes bug 246013. +
Comment 11 Robert Buchholz (RETIRED) 2009-07-15 16:06:55 UTC
Arches, please test and mark stable: =net-firewall/firehol-1.273-r1 Target keywords : "x86"
Comment 12 Christian Faulhammer (RETIRED) 2009-07-16 08:03:16 UTC
Comment 13 Kerin Millar 2009-07-16 12:08:57 UTC
Please target amd64 also.
Comment 14 Robert Buchholz (RETIRED) 2009-07-16 12:17:41 UTC
Kerin, the ebuild has not been stable on amd64 before. It is therefore against our (security's) policy to request stabling. I fully agree the package should also have a stable on amd64, but it should be done in accordance with the regular time lines (i.e. 30 days after being in the tree, no open bugs). Please open a bug around August 15 to request stabling of this version on amd64. Feel free to put me in cc on that bug if there's any issue.
Comment 15 Robert Buchholz (RETIRED) 2009-07-16 12:18:57 UTC
glsa vote: i vote NO as the $RANDOM-$RANDOM makes success of an attack highly unlikely. CVE is disputed for this reason.