Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 55675 - net-firewall/shorewall : insecure temporary files allow file system overwrite
Summary: net-firewall/shorewall : insecure temporary files allow file system overwrite
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest normal (vote)
Assignee: Gentoo Security
URL: http://lists.shorewall.net/pipermail/...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-30 06:23 UTC by Thierry Carrez (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-06-30 06:23:01 UTC
From Shorewall's Tom Eastep :

"Javier Fern
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-06-30 06:23:01 UTC
From Shorewall's Tom Eastep :

"Javier Fernández-Sanguino Peña has discovered an exploitable 
vulnerability in the way that Shorewall handles temporary files and 
directories. The vulnerability can allow a non-root user to cause 
arbitrary files on the system to be overwritten. LEAF Bering and Bering 
uClibc users are generally not at risk due to the fact that LEAF boxes 
do not typically allow logins by non-root users.

For 2.0 users, the problem is corrected in version 2.0.3a:

	http://shorewall.net/pub/shorewall/shorewall-2.0.3a
	ftp://shorewall.net/pub/shorewall/shorewall-2.0.3a

For 1.4 users, the correct version is:

	http://shorewall.net/pub/shorewall/shorewall-1.4.10f
	ftp://shorewall.net/pub/shorewall/shorewall-1.4.10f

I would appreciate immediate feedback on the 1.4.10f version; given that 
I don't have any 1.4 systems remaining, I couldn't fully test that code."
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-06-30 06:24:29 UTC
Martin : could you have a look and bump accordingly ?
Comment 3 Martin Holzer (RETIRED) gentoo-dev 2004-07-01 05:16:51 UTC
2.0.3a and 1.4.10f are in cvs

adding arch-maintainers to mark at least 1.4.10f stable.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-07-01 06:25:14 UTC
Thanks Martin.
alpha,ppc,x86,sparc : please test and mark 1.4.10f stable.
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-02 16:20:58 UTC
1.4.10f marked stable on alpha.
Comment 6 Jason Wever (RETIRED) gentoo-dev 2004-07-03 11:47:08 UTC
Stable on sparc.
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2004-07-05 14:08:18 UTC
GLSA drafted: security please review.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-07-08 02:21:46 UTC
GLSA is ready. The ebuild has now x86 stable. 
We're just waiting for ppc to test and mark 1.4.10f stable to publish the GLSA.
Comment 9 Luca Barbato gentoo-dev 2004-07-08 08:13:34 UTC
Merked ppc
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-07-08 09:23:45 UTC
Thanks !
It's now ready to send.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-07-08 10:27:12 UTC
GLSA 200407-07