Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 107871 - net-misc/cfengine: insecure temporary file use
Summary: net-misc/cfengine: insecure temporary file use
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 [noglsa] jaervosz
Depends on:
Reported: 2005-10-02 04:17 UTC by Thierry Carrez (RETIRED)
Modified: 2005-10-03 06:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-10-02 04:17:53 UTC
From Debian Security Advisory DSA 836-1
CVE ID         : CAN-2005-2960

Javier Fern
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-02 04:17:53 UTC
From Debian Security Advisory DSA 836-1
CVE ID         : CAN-2005-2960

Javier Fernández-Sanguino Peña discovered insecure temporary file use
in cfengine2, a tool for configuring and maintaining networked
machines, that can be exploited by a symlink attack to overwrite
arbitrary files owned by the user executing cfengine, which is
probably root.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-02 10:19:25 UTC
Lance/Kurt please verify and advise. 
Comment 3 Lance Albertson (RETIRED) gentoo-dev 2005-10-02 10:35:41 UTC
Hrm.. I looked into it and couldn't find much information about it and the fix.
I just emailed the cfengine list to get some more feedback on the issue. In the
meantime, I did notice they had a newer version of cfengine out that I hadn't
bumped yet. I'll see about bumping that (even though there is no mention about a
security fix in the changelog).
Comment 4 Lance Albertson (RETIRED) gentoo-dev 2005-10-03 06:27:50 UTC
I started the thread [1] on the cfengine mailing list and I got two reponses
back. The first [2] one went into detail about the actual vuln being a
third-party script thats called vicf. Some of the older ebuilds used to include
this because it was in the contrib folder. The latest ebuilds I have in portage
right now shouldn't include that script. The second [3] reply was from the
actual author of cfengine basically saying the same thing.

My call is that this shouldn't be a problem since I don't include those scripts
anymore. I just double checked and I just removed the ebuilds that used to have
that file included a few days ago. If anyone hadn't updated cfengine in the last
say.. 2-3 months, they may be vuln to this exploit. But this exploit is only if
they use the third party scripts.

Let me know if you need more information.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-10-03 06:40:14 UTC
OK, we'll consider this one fixed in recent versions, and not worth a GLSA
(obscure contrib script). Thanks for investigating this.

Security: feel free to reopen if you disagree.