Hello, * Take a look on : autoconf/randpass This file is used by configure and autoconf/configure.in to generate random password. 11 tmp=/tmp/p.tmp.$$ 12 cp autoconf/randpass.bc $tmp 13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' >>$tmp 14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp 15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' >>$tmp 16 echo "j=s(k); for (i = 0; i < $PWL; i++) r()" >>$tmp 17 echo "quit" >>$tmp 18 bc $tmp | awk -f autoconf/randpass.awk 19 rm $tmp They are 2 troubles, symlink attack (race condition) and password revelation to unstruted user (race condition). * Take a look at : rescue/linux/getdiskinfo Create bootstrap information files -- prelude to creating a Bacula Rescue Disk 192 cat >mount_drives <<END_OF_DATA 193 #!/bin/sh 194 # 195 # Mount disk drives -- created by getdiskinfo 196 # 197 END_OF_DATA 198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p' $di/mount.ext2.bsi >>mount_drives 199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p' $di/mount.ext3.bsi >>mount_drives 200 echo "#" >>mount_drives 201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p' $di/mount.ext2.bsi >/tmp/1$$ 202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p' $di/mount.ext3.bsi >>/tmp/1$$ 203 # sort so that root is mounted first 204 sort -k 3 </tmp/1$$ >>mount_drives 205 rm -f /tmp/1$$ 206 207 chmod 755 mount_drives 208 209 # copy sfdisk so we will have it 210 cp -f /sbin/sfdisk . 211 echo "Done building scripts." 212 echo " " 213 echo "You might want to do a:" 214 echo " " 215 echo "chown -R uuuu:gggg *" 216 echo " " 217 echo "where uuuu is your userid and gggg is your group" 218 echo "so that you can access all the files as non-root" 219 echo " " They are two troubles, symlink attack (race condition) and possible execution off executing arbitrary commands with users privileges (race condition) * Take a look at : scripts/mtx-changer.in Bacula interface to mtx autoloader 117 loaded) 118 ${MTX} -f $ctl status >/tmp/mtx.$$ 119 rtn=$? 120 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}" 121 cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}" 122 rm -f /tmp/mtx.$$ 123 exit $rtn 124 ;; symlink attack (race condition) possible * Also we got this variable in a lot off script : working_directory = "/tmp"; Upstream should check the usage off this variable. Regards.
(In reply to comment #0) > Hello, > > * Take a look on : autoconf/randpass > ... This would only be exploitable on systems that dont have an openssl command, so not many systems would be effected, nevertheless, it could potentially be an issue. Suggest adding a dependency on openssl. > * Take a look at : rescue/linux/getdiskinfo This file does not appear to be installed, and therefore is invalid. > > * Take a look at : scripts/mtx-changer.in Yes, I dont see why a temporary file is needed here, this could be done in a single pipeline. > > * Also we got this variable in a lot off script : > > working_directory = "/tmp"; > > Upstream should check the usage off this variable. > Perhaps, I'll leave that to security team/maintainers to decide.
>> Hello, >> >> * Take a look on : autoconf/randpass >> ... > This would only be exploitable on systems that dont have an openssl command, so > not many systems would be effected, nevertheless, it could potentially be an > issue. Suggest adding a dependency on openssl. ... Why openssl ? ... Regards
because it's only used if openssl isnt available.
eric: where do we stand here ? upstream warned ?
Hello, Reported into bacula bug system. http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=0000422 Regards.
Now public. Version 1.37.39 is out and fixes the issue. Maintainers: please bump.
CCing herd as maintainers don't answer...
Is this a major issue? I just installed bacula and was about to configure it to backup a pretty important server over the public Internet....is that a bad idea with this version? I just installed 1.34.4 because that's what's marked stable right now, and I hadn't seen this yet. Also, how is bacula-1.36.3-r1 in comparison? Is it stable? I see the reference to 1.37.39 above...seems like we're a bit behind. Are there other vulnerabilities that 1.36.3 still has problems with?
These are both local attacks, meaning the attacker needs to get access to the system (and be free to execute code on it). So if you don't have local users on the platform you use Bacula on, that's not such a bug deal.
app-backup please bump.
bacula-1.36.3-r2 added that fixes the vulnerability. Romang thankyou add please check. FYI: 1.37* is the unstable beta version
Nothing in CVS yet.
Ok, it is in now. Arches please test and mark stable.
Stable on ppc and hppa.
x86 done
Still misses sparc keyword...
sparc stable.
Ready for GLSA vote, I vote NO since I can't think of a supported arch where openssl is not in system.
Voting NO and closing without GLSA. Romang thanks for reporting.
The password attack on tmp files is one of the situtations. The second one based on scripts/mtx-changer.in does exist on all platforms. The exploit to use the vulnerability occurs on configurations where there the tape backup unit requires manual tape switching. The exploitable times are between tape changes. I'm not sure if this is a sufficiently common configuration for a glsa or not. I'm not sure if users are often given access on machines where a tape-backup may be connected that may be an effective countermeasure. A few seconds for your consideration people.
Thx for the details. I agree the second scenario is more likely and tends to be run as root, so now I tend to vote yes :)
Small YES vote from me too.
i would vote NO, seems a rare configuration. Also, cannot control output, so mainly useful for sabotage.
Let's get this done, please cast your vote.
If I'm allowed to vote I'll say no based on Tavis's comments.
Reverting to NO vote and closing with NO GLSA. Feel free to reopen if you disagree.