Bug 736086 (CVE-2020-10699, CVE-2020-13867)

Summary:	<sys-block/targetcli-fb-2.1.53: Multiple vulnerabilities (CVE-2020-{10699,13867})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	proxy-maint, sir.suriv
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/open-iscsi/targetcli-fb/pull/172
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=718528 https://bugs.gentoo.org/show_bug.cgi?id=728770 https://github.com/gentoo/gentoo/pull/17142
Whiteboard:	B1 [glsa+ cve]
Package list:	sys-block/targetcli-fb-2.1.53	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	736709

Description Sam James archtester

2020-08-05 22:46:27 UTC

Description:
"Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files)."

Let's check if Gentoo is actually affected by this.

Comment 1 Sam James archtester

2020-08-05 22:49:00 UTC

The ebuild does nothing special wrt permissions:
>	keepdir /etc/target /etc/target/backup
>	doman targetcli.8

And these issues (as seen in the patch - see URL on this bug) are resolved via a runtime change. So, yes, it seems we are affected.

Comment 2 Sam James archtester

2020-08-05 22:49:42 UTC

Also:

* CVE-2020-10699

Description:
"A flaw was found in Linux, in targetcli-fb versions 2.1.50 and 2.1.51 where the socket used by targetclid was world-writable. If a system enables the targetclid socket, a local attacker can use this flaw to modify the iSCSI configuration and escalate their privileges to root."

https://github.com/open-iscsi/targetcli-fb/issues/162

Comment 3 Sam James archtester

2020-08-05 22:50:25 UTC

Maintainer, please bump to 2.1.53 ASAP.

Comment 4 Diogo Pereira 2020-08-09 16:39:59 UTC

This needs a bump of dev-python/rtslib-fb first.
I opened https://github.com/gentoo/gentoo/pull/16516 a while ago for that...

Comment 5 Sam James archtester

2020-08-15 01:18:44 UTC

(In reply to Diogo Pereira from comment #4)
> This needs a bump of dev-python/rtslib-fb first.
> I opened https://github.com/gentoo/gentoo/pull/16516 a while ago for that...

Done. Sorry for the delay.

Comment 6 Larry the Git Cow gentoo-dev

2020-08-25 00:10:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=934814f627d542bae52f0500ad6cf003525e23f2

commit 934814f627d542bae52f0500ad6cf003525e23f2
Author:     Diogo Pereira <sir.suriv@gmail.com>
AuthorDate: 2020-08-16 23:14:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-25 00:06:07 +0000

    sys-block/targetcli-fb: bump to 2.1.53
    
    Bug: https://bugs.gentoo.org/722674
    Bug: https://bugs.gentoo.org/736086
    Closes: https://bugs.gentoo.org/718528
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Diogo Pereira <sir.suriv@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17142
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/targetcli-fb/Manifest                   |  1 +
 sys-block/targetcli-fb/targetcli-fb-2.1.53.ebuild | 28 +++++++++++++++++++++++
 2 files changed, 29 insertions(+)

Comment 7 Sam James archtester

2020-08-25 01:50:51 UTC

x86 done

Comment 8 NATTkA bot gentoo-dev

2020-08-25 12:36:56 UTC

Unable to check for sanity:

> dependent bug #728770 is missing keywords

Comment 9 Sam James archtester

2020-08-25 12:37:56 UTC

amd64 done

all arches done

Comment 10 Sam James archtester

2020-08-25 12:40:48 UTC

amd64 done

all arches done

Comment 11 Sam James archtester

2020-08-25 12:41:14 UTC

Please cleanup.

Comment 12 NATTkA bot gentoo-dev

2020-08-25 12:41:44 UTC

Unable to check for sanity:

> dependent bug #728770 is missing keywords

Comment 13 Larry the Git Cow gentoo-dev

2020-08-30 03:14:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64f2a898441e0332284a6533e4f797b7bbf5a8a5

commit 64f2a898441e0332284a6533e4f797b7bbf5a8a5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:14:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:14:38 +0000

    sys-block/targetcli-fb: security cleanup
    
    Bug: https://bugs.gentoo.org/736086
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/targetcli-fb/Manifest                   |  1 -
 sys-block/targetcli-fb/targetcli-fb-2.1.51.ebuild | 28 -----------------------
 2 files changed, 29 deletions(-)

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2020-08-30 21:14:48 UTC

This issue was resolved and addressed in
 GLSA 202008-22 at https://security.gentoo.org/glsa/202008-22
by GLSA coordinator Sam James (sam_c).

Comment 15 Larry the Git Cow gentoo-dev

2020-08-30 22:45:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bc8d65d5a15200942dc7c66c1fcc0ba7102099c

commit 2bc8d65d5a15200942dc7c66c1fcc0ba7102099c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 22:45:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 22:45:26 +0000

    sys-block/targetcli-fb: security cleanup
    
    Bug: https://bugs.gentoo.org/736086
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/targetcli-fb/Manifest                   |  1 -
 sys-block/targetcli-fb/targetcli-fb-2.1.49.ebuild | 33 -----------------------
 2 files changed, 34 deletions(-)