Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 264564 (CVE-2009-0115)

Summary: <sys-fs/multipath-tools-0.4.8-r1 World-writable socket (CVE-2009-0115)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xml
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-01 23:15:53 UTC 
CVE-2009-0115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0115):
  multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
  Enterprise Server (SLES) 10 uses world-writable permissions for the
  socket file (aka /var/run/multipathd.sock), which allows local users
  to send arbitrary commands to the multipath daemon.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 20:10:00 UTC 
base-system, ping
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-10-30 08:10:55 UTC 
In 0.4.8-r1 (1.2) now, cleared for stable request (has some other fixes in it too).
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-30 10:36:51 UTC 
Arches, please test and mark stable:
=sys-fs/multipath-tools-0.4.8-r1
Target keywords : "amd64 ppc ppc64 x86"
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-10-31 13:15:28 UTC 
ppc64 done
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-03 19:25:24 UTC 
x86 stable
Comment 7 Markus Meier gentoo-dev 2009-11-04 11:11:24 UTC 
amd64 stable
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2009-11-13 01:01:21 UTC 
Marked ppc stable.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:42:08 UTC 
GLSA vote: yes.
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-01-29 23:21:39 UTC 
+1 vote as the maintainer. Anybody writing to the socket locally can cause SAN disks to go offline, potentially causing an entire OCFS2 cluster to fence/panic.
Comment 11 solar (RETIRED) gentoo-dev 2010-01-29 23:26:35 UTC 
I've confirmed this problem exists in my production cluster. chmod o-rwx /var/run/multipath.sock works around it at runtime. But it's less then ideal.
Please fire off a GLSA for this to raise awareness.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-29 23:31:01 UTC 
GLSA request filed.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:24:49 UTC 
GLSA 201006-10