Not sure if it affects Gentoo: Raphael Geissert conducted a review of various packages in Debian and found that cluster-agents contained a script that could be abused by an attacker to execute arbitrary code [1]. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, resource-agents contains rgmanager, which has the same scripts as Debian's cluster-agents. /usr/share/cluster/SAPDatabase and /usr/share/cluster/SAPInstance both re-set LD_LIBRARY_PATH insecurely: # as root user we need the library path to the SAP kernel to be able to call executables if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH fi A solution is to patch the scripts to properly set $LD_LIBRARY_PATH: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} This issue has been assigned the name CVE-2010-3389. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549
+*rgmanager-2.03.09-r1 (20 Jan 2011) + + 20 Jan 2011; Kacper Kowalik <xarthisius@gentoo.org> + +rgmanager-2.03.09-r1.ebuild, +files/rgmanager-2.03.09-CVE-2010-3389.patch: + Bump to EAPI2, respect multilib paths, remove obsolete bits fixing man + chmods, apply security patch wrt #352213, general cleanup +
Thank you for quick reaction. Arches, please stabilize =sys-cluster/rgmanager-2.03.09-r1
dlm-lib-2.03.09 fails with bug 305463, but .11 produces the following failure: (sys-cluster/dlm-lib-2.03.11, ebuild scheduled for merge) pulled in by =sys-cluster/dlm-lib-2.03.11 (sys-cluster/dlm-lib-2.03.09, ebuild scheduled for merge) pulled in by =sys-cluster/dlm-lib-2.03.09* required by (sys-cluster/rgmanager-2.03.09-r1, ebuild scheduled for merge)
(In reply to comment #3) > dlm-lib-2.03.09 fails with bug 305463, but .11 produces the following failure: This will be gone with any linux-headers >= 2.6.30-r1. Added dep on bug 352059 since stabilization of linux-headers-2.6.36.1 is requested there.
Just in case, there is an upstream patch: http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec . Anyway, we have a local patch which is only slightly different. I've updated the bug dependency, since we're waiting not for asterisk but for linux-headers.
Created attachment 262647 [details] build.log with failures (In reply to comment #5) > Just in case, there is an upstream patch: > http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec > . Anyway, we have a local patch which is only slightly different. > > I've updated the bug dependency, since we're waiting not for asterisk but for > linux-headers. Ok, linux-headers are through on x86, but this one fails to build.
Moreover, the program fails to pass the multilib test because it installs the libraries to plain /usr/lib instead of /usr/lib64 folder
fixed multilib for cman-lib and dlm-lib -> amd64 stable
=sys-cluster/rgmanager-2.03.09-r1 tested on x86, all good here ...
Created attachment 267377 [details] build.log I think it fails in the same way as for Thomas. Portage 2.1.9.42 (default/linux/x86/10.0/developer, gcc-4.4.5, glibc-2.11.3-r0, 2.6.36-gentoo-r5 i686) ================================================================= System uname: Linux-2.6.36-gentoo-r5-i686-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-1.12.14 Timestamp of tree: Sun, 27 Mar 2011 10:30:01 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r2, 3.1.3-r1 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs collision-protect digest distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms sign splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa berkdb bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emacs emboss encode exif fam firefox flac fortran gdbm gdu gif gnutls gtk iconv icu jpeg lcms libnotify mad mbox mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly nss ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd python qt3support readline sdl secure-delete session snmp spell sqlite ssl startup-notification subversion svg sysfs tcb tcpd tiff toolkit-scroll-bars truetype udev unicode usb vorbis x264 x86 xcb xft xinerama xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ens1371" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vmware vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #10) > Created attachment 267377 [details] > build.log > > I think it fails in the same way as for Thomas. I get exactly the same on my x86 box.
@cluster: Any news here? Feels bad for us at x86 to leave the security bug open for so long, but there seem to be some regressions?
Maintainers, please provide an ebuild that works on x86 (see failure logs attached to this bug).
15 May 2011; Kacper Kowalik <xarthisius@gentoo.org> rgmanager-2.03.09-r1.ebuild: Update dependecies as it fails to build with dev-libs/libxml2[icu] (bug 352213) Remove -Werror Please try again
sys-cluster/rgmanager-2.03.09-r1 looks now good here on x86. It would be a good thing if the package could provide an example cluster.conf, or if at least the init script wouldn't just exit if none is present!
(In reply to comment #15) > It would be a good thing if the package could provide an example cluster.conf, > or if at least the init script wouldn't just exit if none is present! That's something you should note in a new bug.
x86 stable, thanks everyone!
Thanks, folks. GLSA Vote: yes.
CVE-2010-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389): The (1) SAPDatabase and (2) SAPInstance scripts in OCF Resource Agents (aka resource-agents or cluster-agents) 1.0.3 in Linux-HA place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
Vote: YES. New GLSA request filed.
This issue was resolved and addressed in GLSA 201110-18 at http://security.gentoo.org/glsa/glsa-201110-18.xml by GLSA coordinator Tobias Heinlein (keytoaster).
