Summary: | sys-fabric/ibutils: improper use of files in /tmp (CVE-2013-2561) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | cluster, mgorny, treecleaner |
Priority: | Normal | Keywords: | PATCH, PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/03/25/11 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Deadline: | 2019-12-31 |
Description
Agostino Sarubbo
2013-03-26 10:10:35 UTC
I will update it ASAP to version from ofed-3.5.0 CVE-2013-2561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2561): OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary files via a symlink attack on (1) ibdiagnet.db, (2) ibdiagnet.fdbs, (3) ibdiagnet_ibis.log, (4) ibdiagnet.log, (5) ibdiagnet.lst, (6) ibdiagnet.mcfdbs, (7) ibdiagnet.pkey, (8) ibdiagnet.psl, (9) ibdiagnet.slvl, or (10) ibdiagnet.sm in /tmp/. Old versions removed from tree (In reply to Alexey Shvetsov from comment #3) > Old versions removed from tree Thanks. Still trying to track where the vulnerability was fixed. If I cannot find anything, I will try to replicate the symlink attack when I get a bit more time. You may wanna wait a little bit. I'll add new versions that was released recently (In reply to Alexey Shvetsov from comment #5) > You may wanna wait a little bit. I'll add new versions that was released > recently Well that is the issue. No information shows where the vulnerability was patched. UPDATE: I've tried to replicate the same issue on ibutils-1.5.7-0.2.gbd7e502.tar.gz the result: -E- The following tile is write protected: /tmp/ibdiagnet.log Error message: "couldn't open "/tmp/ibdiagnet.log": permission denied" Exiting I've tested it on an arch vm which has the latest ibutils version, @Maintainers: could you please confirm if there is going to be a version bump since the package is masked right now? The current package in Gentoo repository is still vulnerable. @ Maintainer(s): Please apply the following patch from Red Hat (https://salsa.debian.org/hpc-team/ibutils/blob/master/debian/patches/do_not_use_tmp.patch) which changes ibutils default tmp path to /var/cache/ibutils which can be locked down. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03325ebfa6d282818310103f8ce387bc5f2965c1 commit 03325ebfa6d282818310103f8ce387bc5f2965c1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-12-01 20:26:22 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-12-01 20:59:54 +0000 package.mask: Last rite sys-fabric/ibutils Bug: https://bugs.gentoo.org/463338 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) The package is now gone. |