Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 434878 (CVE-2012-4430) - <app-backup/bacula-5.2.12 : Console ACL Bypass Security Issue (CVE-2012-4430)
Summary: <app-backup/bacula-5.2.12 : Console ACL Bypass Security Issue (CVE-2012-4430)
Status: RESOLVED FIXED
Alias: CVE-2012-4430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/50535/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-13 09:32 UTC by Agostino Sarubbo
Modified: 2016-03-18 08:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-13 09:32:09 UTC
Description
A security issue has been reported in Bacula, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an error within the implementation of console ACLs, which can be exploited to gain access to certain restricted functionality and e.g. dump resources.

The security issue is reported in versions prior to 5.2.11.


Solution
Update to version 5.2.11.
Comment 1 Thomas Beierlein gentoo-dev 2012-09-16 08:03:58 UTC
(In reply to comment #0)
> Description
> A security issue has been reported in Bacula, which can be exploited by
> malicious users to bypass certain security restrictions.
> 
> The security issue is caused due to an error within the implementation of
> console ACLs, which can be exploited to gain access to certain restricted
> functionality and e.g. dump resources.
> 
> The security issue is reported in versions prior to 5.2.11.
> 
> 
> Solution
> Update to version 5.2.11.

Version 5.2.11 got withdrawn by upstream (see bug #435018) and replaced by 5.2.12.
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-16 09:04:34 UTC
Just wait few days as per maintainer request on irc.
Comment 3 Thomas Beierlein gentoo-dev 2012-09-21 11:47:38 UTC
(In reply to comment #2)
> Just wait few days as per maintainer request on irc.

bacula-5.2.12 should be ready to go. So arches please stabilize.
Comment 4 Anthony Basile gentoo-dev 2012-09-22 14:55:35 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-22 21:25:31 UTC
amd64 stable
Comment 6 Jeroen Roovers gentoo-dev 2012-09-23 17:00:32 UTC
I have moved HPPA to unstable because of bug #409229 and this bug.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-09-23 17:24:55 UTC
sparc/x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-09-23 18:28:45 UTC
cleanup done, please vote
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-10-02 06:44:24 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-10-13 20:41:13 UTC
CVE-2012-4430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4430):
  The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does
  not properly enforce ACL rules, which allows remote authenticated users to
  obtain resource dump information via unspecified vectors.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:54:33 UTC
Yes. GLSA request created.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:26:02 UTC
This issue was resolved and addressed in
 GLSA 201405-11 at http://security.gentoo.org/glsa/glsa-201405-11.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 13 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-18 09:12:41 UTC
Guys, 5.0.3-r3 is not affected, see ChangeLog. Can you please edit the GLSA and exclude it from the affected ranges?
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-18 08:35:39 UTC
5.0.3-r3 is no longer in the tree. GLSA was never modified but that is no longer an issue.