Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 371469 (CVE-2011-1784) - <sys-cluster/keepalived-1.2.2-r3 : pidfile_write() insecure permissions (CVE-2011-1784)
Summary: <sys-cluster/keepalived-1.2.2-r3 : pidfile_write() insecure permissions (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2011-1784
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-13 20:26 UTC by GLSAMaker/CVETool Bot
Modified: 2012-07-09 23:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 20:26:30 UTC
CVE-2011-1784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1784):
  The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier
  uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3)
  vrrp.pid files in /var/run/, which allows local users to kill arbitrary
  processes by writing a PID to one of these files.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-02-28 02:34:36 UTC
Bumped with the fix from the debian patchset.
Tested by infra on amd64.

Arches, please stabilize 1.2.2-r3.

target keywords:
alpha amd64 hppa ia64 ppc ppc64 s309 sparc x86
Comment 2 Jeroen Roovers gentoo-dev 2012-02-28 18:49:34 UTC
Stable for HPPA.
Comment 3 Brent Baude (RETIRED) gentoo-dev 2012-02-28 19:35:30 UTC
ppc done
Comment 4 Agostino Sarubbo gentoo-dev 2012-02-29 14:38:10 UTC
amd64 stable
Comment 5 Tobias Klausmann gentoo-dev 2012-03-02 13:43:37 UTC
Stable on alpha.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-03 12:53:58 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-03-17 17:31:57 UTC
ia64/s390/sparc stable
Comment 8 Sean Amoss gentoo-dev Security 2012-06-05 23:02:40 UTC
Re-adding ppc64 to mark stable (looks like the wrong arch was accidentally removed from CC).
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-06-06 14:08:03 UTC
ppc64 done
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-06-08 17:37:48 UTC
all good
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-06-08 17:40:14 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 Sean Amoss gentoo-dev Security 2012-06-11 19:50:44 UTC
GLSA vote: yes.

Filing new GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:32:35 UTC
This issue was resolved and addressed in
 GLSA 201207-07 at http://security.gentoo.org/glsa/glsa-201207-07.xml
by GLSA coordinator Sean Amoss (ackle).