Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68406 - sys-fs/lvm-user: Insecure tmpfile use
Summary: sys-fs/lvm-user: Insecure tmpfile use
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest minor
Assignee: Gentoo Security
URL: http://bugzilla.redhat.com/bugzilla/s...
Whiteboard: B3 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-21 07:58 UTC by Thierry Carrez (RETIRED)
Modified: 2004-11-11 13:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch from RedHat bug (lvm-1.0.8-tempfile.patch,554 bytes, patch)
2004-10-21 08:06 UTC, Thierry Carrez (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 07:58:37 UTC 
CAN-2004-0972

The lvmcreate_initrd script in the lvm package in Trustix Secure Linux
1.5 through 2.1, and possibly other operating systems, allows local
users to overwrite files via a symlink attack on temporary files.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:06:58 UTC 
Created attachment 42316 [details, diff]
Patch from RedHat bug

Patch from RedHat
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-22 08:11:11 UTC 
We have two lvm packages in our tree, lvm-user for LVM 1.* and lvm2 for LVM 2.*. The script is only in LVM 1.* releases. So we should either remove the package or fix it :)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:27:54 UTC 
base-system: please either fix this or remove lvm-user altogether. I'm sure you prefer we don't mess with it ourselves :)
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-02 02:39:43 UTC 
Debian bug report: 
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=279229>

Diff from Ubuntu Linux (full diff to orig package including typical Debian stuff): <http://security.ubuntu.com/ubuntu/pool/main/l/lvm10/lvm10_1.0.8-4ubuntu1.1.diff.gz>
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-05 06:12:26 UTC 
Patch in attachment applies cleanly to lvm-user-1.0.7-r1.
Comment 6 SpanKY gentoo-dev 2004-11-09 21:56:56 UTC 
1.0.7-r2 is in portage with the fix
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-09 23:03:08 UTC 
Arches please mark stable.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2004-11-10 04:48:05 UTC 
What stable? vapier bumped every one to stable directly...
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-11-10 04:58:18 UTC 
Sune obviously needs some rest :) Sorry for the inconvenience...
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-11 13:28:57 UTC 
GLSA 200411-22