Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 86686

Summary: sys-cluster/openmosixview: Insecure Temporary File Creation Vulnerabilities
Product: Gentoo Security Reporter: Jean-Fran├žois Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hp-cluster, tantive
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/14693/
Whiteboard: B3 [glsa] koon
Package list:
Runtime testing required: ---

Description Jean-Fran├žois Brunette (RETIRED) gentoo-dev 2005-03-25 10:38:21 UTC
Description:
Gangstuck and Psirac have reported some vulnerabilities in openMosixview, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

The vulnerabilities are caused due to various temporary files being created insecurely with predictable filenames. This can be exploited via symlink attacks to create or overwrite arbitrary files on the system with the privileges of the user running openmosixview or the openmosixcollector daemon.

The vulnerabilities have been reported in versions 1.5 and prior.

Solution:
Grant only trusted users access to affected systems
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2005-03-25 11:02:23 UTC
http://www.securityfocus.com/archive/1/394282
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-04-08 08:08:32 UTC
See discussion about this bug at:
http://sourceforge.net/mailarchive/forum.php?thread_id=6929877&forum_id=1042

Patches are at:
http://uw-dig.uwaterloo.ca/~hy3chan/patches/openmosixview/1.5/20logdirectory.diff
http://uw-dig.uwaterloo.ca/~hy3chan/patches/openmosixview/1.5/50nonodestmp.diff

tantive/cluster: please review patches and bump with them if you think they are ok.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-04-13 08:32:05 UTC
xmerlin (cluster herd) said he would have a look.
Comment 4 Christian Zoffoli (RETIRED) gentoo-dev 2005-04-15 09:17:53 UTC
fixed in cvs
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-04-15 10:10:54 UTC
Reopening to handle stable/glsa steps
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-16 04:32:55 UTC
xmerlin: could you bump the revision ?
Comment 7 Christian Zoffoli (RETIRED) gentoo-dev 2005-04-16 06:01:51 UTC
done
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-16 06:52:03 UTC
Security please vote on GLSA need
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-04-19 00:31:36 UTC
Do openmosixview or the openmosixcollector daemon typically run as root ? If yes, I would issue a GLSA about it, if not, I wouldn't.

xmerlin/cluster herd, could you give us your opinion ?
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-04-19 11:23:04 UTC
I think it can be run by root quite usually, so I vote YES.
Comment 11 Christian Zoffoli (RETIRED) gentoo-dev 2005-04-19 12:13:32 UTC
It needs to be run as root as I can remember
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-19 12:29:31 UTC
I vote yes as well.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-04-21 06:57:29 UTC
GLSA 200504-20