Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68406 - sys-fs/lvm-user: Insecure tmpfile use
Summary: sys-fs/lvm-user: Insecure tmpfile use
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest minor (vote)
Assignee: Gentoo Security
URL: http://bugzilla.redhat.com/bugzilla/s...
Whiteboard: B3 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-21 07:58 UTC by Thierry Carrez (RETIRED)
Modified: 2004-11-11 13:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch from RedHat bug (lvm-1.0.8-tempfile.patch,554 bytes, patch)
2004-10-21 08:06 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 07:58:37 UTC
CAN-2004-0972

The lvmcreate_initrd script in the lvm package in Trustix Secure Linux
1.5 through 2.1, and possibly other operating systems, allows local
users to overwrite files via a symlink attack on temporary files.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:06:58 UTC
Created attachment 42316 [details, diff]
Patch from RedHat bug

Patch from RedHat
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-22 08:11:11 UTC
We have two lvm packages in our tree, lvm-user for LVM 1.* and lvm2 for LVM 2.*. The script is only in LVM 1.* releases. So we should either remove the package or fix it :)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:27:54 UTC
base-system: please either fix this or remove lvm-user altogether. I'm sure you prefer we don't mess with it ourselves :)
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-02 02:39:43 UTC
Debian bug report: 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=279229>

Diff from Ubuntu Linux (full diff to orig package including typical Debian stuff): <http://security.ubuntu.com/ubuntu/pool/main/l/lvm10/lvm10_1.0.8-4ubuntu1.1.diff.gz>
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 06:12:26 UTC
Patch in attachment applies cleanly to lvm-user-1.0.7-r1.
Comment 6 SpanKY gentoo-dev 2004-11-09 21:56:56 UTC
1.0.7-r2 is in portage with the fix
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-09 23:03:08 UTC
Arches please mark stable.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2004-11-10 04:48:05 UTC
What stable? vapier bumped every one to stable directly...
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-11-10 04:58:18 UTC
Sune obviously needs some rest :) Sorry for the inconvenience...
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-11 13:28:57 UTC
GLSA 200411-22