From Debian Security Advisory DSA 836-1 CVE ID : CAN-2005-2960 Javier Fern
From Debian Security Advisory DSA 836-1 CVE ID : CAN-2005-2960 Javier Fernández-Sanguino Peña discovered insecure temporary file use in cfengine2, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root.
Lance/Kurt please verify and advise.
Hrm.. I looked into it and couldn't find much information about it and the fix. I just emailed the cfengine list to get some more feedback on the issue. In the meantime, I did notice they had a newer version of cfengine out that I hadn't bumped yet. I'll see about bumping that (even though there is no mention about a security fix in the changelog).
I started the thread [1] on the cfengine mailing list and I got two reponses back. The first [2] one went into detail about the actual vuln being a third-party script thats called vicf. Some of the older ebuilds used to include this because it was in the contrib folder. The latest ebuilds I have in portage right now shouldn't include that script. The second [3] reply was from the actual author of cfengine basically saying the same thing. My call is that this shouldn't be a problem since I don't include those scripts anymore. I just double checked and I just removed the ebuilds that used to have that file included a few days ago. If anyone hadn't updated cfengine in the last say.. 2-3 months, they may be vuln to this exploit. But this exploit is only if they use the third party scripts. Let me know if you need more information. [1] http://thread.gmane.org/gmane.comp.sysutils.cfengine.general/6713 [2] http://article.gmane.org/gmane.comp.sysutils.cfengine.general/6715 [3] http://article.gmane.org/gmane.comp.sysutils.cfengine.general/6717
OK, we'll consider this one fixed in recent versions, and not worth a GLSA (obscure contrib script). Thanks for investigating this. Security: feel free to reopen if you disagree.