Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 79330

Summary: net-firewall/firehol: Insecure Temporary File Creation Vulnerabilities
Product: Gentoo Security Reporter: Jean-Fran├žois Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: centic, costa
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/13970/
Whiteboard: A3 [glsa] lewk
Package list:
Runtime testing required: ---

Description Jean-Fran├žois Brunette (RETIRED) gentoo-dev 2005-01-24 06:47:45 UTC
Description:
Sam Couter has reported some vulnerabilities in FireHOL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

The vulnerabilities are caused due to various temporary files being created insecurely. This can be exploited via symlink attacks to overwrite arbitrary files on the system with the privileges of a user running a vulnerable script.

The vulnerabilities have been reported in version 1.214. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.
Comment 1 Dominik Stadler (RETIRED) gentoo-dev 2005-01-24 11:57:47 UTC
Debian has a fix for this in unstable, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291680

The diff that Debian uses against plain 1.214 is available at 
http://ftp.debian.org/debian/pool/main/f/firehol/firehol_1.214-2.diff.gz
This contains some additional Debian-Specifc changes.
Comment 2 Costa Tsaousis 2005-01-24 14:56:22 UTC
Hi,

I have released v1.224 to fix the issue.

Thanks.

Costa Tsaousis
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-01-24 15:13:45 UTC
centic, please bump.
Comment 4 Dominik Stadler (RETIRED) gentoo-dev 2005-01-25 11:55:00 UTC
There is some difference in the way version 1.224 tries to fix the problem compared to how debian did it.

firehol-1.224:

	 # Remove any old directories that might be there.
  	 if [ -d "${FIREHOL_DIR}" ]
  	 then
  	         "${RM_CMD}" -rf "${FIREHOL_DIR}"
  	         if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ]
  	         then
  	                 echo >&2
  	                 echo >&2
  	                 echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'."
  	                 echo >&2
  	                 exit 1
  	         fi
  	 fi
  	 "${MKDIR_CMD}" -p "${FIREHOL_DIR}"    || exit 1
  	 "${MKDIR_CMD}" -p "${FIREHOL_CHAINS_DIR}"    || exit 1
  	 
Debian:

+#prevent symlink attacks
+umask 077 
+mkdir "${FIREHOL_DIR}" || (echo "Creating ${FIREHOL_DIR} failed. Please remove it if it already exists." ; exit 1) 


I'm not a security expert, therefore I would like to have some confirmation if the first way of solving this is apropriate. There seems to still be a slight chance of getting the directory created underneath between the rm and the mkdir, right?


Additionally I also saw the following code in firehol.sh:

        KERNEL_CONFIG="/proc/config"
        ${CAT_CMD} /proc/config >/tmp/kcfg.$$
        source /tmp/kcfg.$$
        ${RM_CMD} -f /tmp/kcfg.$$

Isn't that another thing that can be exploited quite easily? Especially as there is a "source" of the temp-file?
Comment 5 Costa Tsaousis 2005-01-25 13:18:16 UTC
Hi,

I have changed the firehol temporary directory name to include the variable $RANDOM twice. I hope this will make the directory name completely unpredictable.

I have also made sure FireHOL does not create any files outside its temporary directory (including the mentioned kcfg).

All these in v1.225. Get it from http://firehol.sf.net/firehol.tar.gz

I hope both these have solved all the threads of temporary file creation.

If there are no other concerns, I'll release it asap.

Costa
Comment 6 Costa Tsaousis 2005-01-25 13:31:28 UTC
I also removed all -p from all mkdirs to make them fail if the directory already exists.

In v1.226, same URL.

Costa
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 06:51:20 UTC
centic: v 1.226 looks right to me. Please bump to that.
Comment 8 Dominik Stadler (RETIRED) gentoo-dev 2005-01-27 10:09:49 UTC
The complete package for 226 is not yet available, only one for 224.

Therefore I have added Version 1.224 plus a patch that adds the diff from cvs of rev. 225 and 226.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 11:48:16 UTC
x86: please test 1.224 and mark stable
Comment 10 Costa Tsaousis 2005-01-29 19:23:25 UTC
Released v1.226.

Thank you all.

Costa
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-31 05:05:18 UTC
centic: if you tested on x86 please mark it stable.
Comment 12 Dominik Stadler (RETIRED) gentoo-dev 2005-01-31 12:41:35 UTC
Sorry for the delay, this is my first security-bug, so I am not sure which actions the developer should perform and what is done by the security team.

1.224 is marked stable on x86 now. I will upgrade to 1.226 with normal procedures as the proper security fix is contained in 1.224 already.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-31 13:00:35 UTC
Thanks Dominik. If you have any questions wrt security bugs please join #gentoo-security or drop me a line.

This one is ready for GLSA.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-01 12:09:02 UTC
GLSA 200502-01

thanks everyone