Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104986 - app-backup/bacula <= 1.34.4 multiple vulnerabilities
Summary: app-backup/bacula <= 1.34.4 multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-06 02:38 UTC by Romang
Modified: 2005-10-19 10:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-09-06 02:38:28 UTC
Hello,

* Take a look on : autoconf/randpass

This file is used by configure and autoconf/configure.in
to generate random password.

11 tmp=/tmp/p.tmp.$$
12 cp autoconf/randpass.bc $tmp
13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp
14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp
16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp
17 echo "quit" >>$tmp
18 bc $tmp | awk -f autoconf/randpass.awk
19 rm $tmp

They are 2 troubles, symlink attack (race condition) and password revelation to
unstruted user (race condition).


* Take a look at : rescue/linux/getdiskinfo

Create bootstrap information files -- prelude to creating a Bacula Rescue Disk

192 cat >mount_drives <<END_OF_DATA
193 #!/bin/sh
194 #
195 #  Mount disk drives  -- created by getdiskinfo
196 #
197 END_OF_DATA
198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext2.bsi >>mount_drives
199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>mount_drives
200 echo "#" >>mount_drives
201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext2.bsi >/tmp/1$$
202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p'
$di/mount.ext3.bsi >>/tmp/1$$
203 # sort so that root is mounted first
204 sort -k 3 </tmp/1$$ >>mount_drives
205 rm -f /tmp/1$$
206 
207 chmod 755 mount_drives
208 
209 # copy sfdisk so we will have it
210 cp -f /sbin/sfdisk .
211 echo "Done building scripts."
212 echo " "
213 echo "You might want to do a:"
214 echo " "
215 echo "chown -R uuuu:gggg *"
216 echo " "
217 echo "where uuuu is your userid and gggg is your group"
218 echo "so that you can access all the files as non-root"
219 echo " "

They are two troubles, symlink attack (race condition) and possible execution
off executing arbitrary commands with users privileges (race condition)


* Take a look at : scripts/mtx-changer.in

Bacula interface to mtx autoloader

117    loaded)
118       ${MTX} -f $ctl status >/tmp/mtx.$$
119       rtn=$?
120       cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk
"{print \$7}"
121       cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk
"{print 0}"
122       rm -f /tmp/mtx.$$
123       exit $rtn
124       ;;

symlink attack (race condition) possible


* Also we got this variable in a lot off script :

working_directory  = "/tmp";

Upstream should check the usage off this variable.

Regards.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-13 04:06:01 UTC
(In reply to comment #0)
> Hello,
> 
> * Take a look on : autoconf/randpass
> 
...

This would only be exploitable on systems that dont have an openssl command, so 
not many systems would be effected, nevertheless, it could potentially be an 
issue. Suggest adding a dependency on openssl.

> * Take a look at : rescue/linux/getdiskinfo

This file does not appear to be installed, and therefore is invalid.
 
> 
> * Take a look at : scripts/mtx-changer.in

Yes, I dont see why a temporary file is needed here, this could be done in a 
single pipeline.

> 
> * Also we got this variable in a lot off script :
> 
> working_directory  = "/tmp";
> 
> Upstream should check the usage off this variable.
> 

Perhaps, I'll leave that to security team/maintainers to decide.

Comment 2 Romang 2005-09-13 04:23:15 UTC
>> Hello,
>> 
>> * Take a look on : autoconf/randpass
>> 
...

> This would only be exploitable on systems that dont have an openssl command, so 
> not many systems would be effected, nevertheless, it could potentially be an 
> issue. Suggest adding a dependency on openssl.

...

Why openssl ?

...

Regards
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-13 04:45:55 UTC
because it's only used if openssl isnt available.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 05:42:59 UTC
eric: where do we stand here ? upstream warned ? 
Comment 5 Romang 2005-09-19 01:46:28 UTC
Hello,

Reported into bacula bug system.

http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422

Regards.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-20 07:00:31 UTC
Now public.

Version 1.37.39 is out and fixes the issue.
Maintainers: please bump.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-09-23 13:29:22 UTC
CCing herd as maintainers don't answer...
Comment 8 Hunter Cook 2005-10-03 17:51:33 UTC
Is this a major issue? I just installed bacula and was about to configure it to
backup a pretty important server over the public Internet....is that a bad idea
with this version? I just installed 1.34.4 because that's what's marked stable
right now, and I hadn't seen this yet.

Also, how is bacula-1.36.3-r1 in comparison? Is it stable? I see the reference
to 1.37.39 above...seems like we're a bit behind. Are there other
vulnerabilities that 1.36.3 still has problems with?
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 00:50:05 UTC
These are both local attacks, meaning the attacker needs to get access to the
system (and be free to execute code on it). So if you don't have local users on
the platform you use Bacula on, that's not such a bug deal.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-06 08:12:44 UTC
app-backup please bump. 
Comment 11 Daniel Black (RETIRED) gentoo-dev 2005-10-06 14:05:19 UTC
bacula-1.36.3-r2 added that fixes the vulnerability.  
 
Romang thankyou add please check. 
 
FYI: 1.37* is the unstable beta version  
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-06 14:09:54 UTC
Nothing in CVS yet. 
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-06 14:15:30 UTC
Ok, it is in now. Arches please test and mark stable. 
Comment 14 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-07 11:06:49 UTC
Stable on ppc and hppa.
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2005-10-08 22:23:00 UTC
x86 done
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-10-11 08:30:04 UTC
Still misses sparc keyword...
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-11 10:58:24 UTC
sparc stable.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-10-12 00:42:04 UTC
Ready for GLSA vote, I vote NO since I can't think of a supported arch where
openssl is not in system.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-12 01:00:52 UTC
Voting NO and closing without GLSA. 
 
Romang thanks for reporting. 
Comment 20 Daniel Black (RETIRED) gentoo-dev 2005-10-13 14:17:36 UTC
The password attack on tmp files is one of the situtations. 
 
The second one based on scripts/mtx-changer.in does exist on all platforms. 
The exploit to use the vulnerability occurs on configurations where there the 
tape backup unit requires manual tape switching. 
 
The exploitable times are between tape changes. I'm not sure if this is a 
sufficiently common configuration for a glsa or not. I'm not sure if users are 
often given access on machines where a tape-backup may be connected that may 
be an effective countermeasure. 
 
A few seconds for your consideration people. 
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-10-14 00:26:46 UTC
Thx for the details. I agree the second scenario is more likely and tends to be
run as root, so now I tend to vote yes :)
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-14 00:32:32 UTC
Small YES vote from me too. 
Comment 23 Tavis Ormandy (RETIRED) gentoo-dev 2005-10-15 01:56:12 UTC
i would vote NO, seems a rare configuration. Also, cannot control output, so 
mainly useful for sabotage. 
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 01:13:10 UTC
Let's get this done, please cast your vote.
Comment 25 Daniel Black (RETIRED) gentoo-dev 2005-10-19 01:45:06 UTC
If I'm allowed to vote I'll say no based on Tavis's comments. 
Comment 26 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-19 10:44:37 UTC
Reverting to NO vote and closing with NO GLSA. Feel free to reopen if you 
disagree.