Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 758974 - <net-dns/unbound-1.13.0: symbolic link traversal when writing PID file (CVE-2020-28935)
Summary: <net-dns/unbound-1.13.0: symbolic link traversal when writing PID file (CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks: CVE-2020-28935
  Show dependency tree
 
Reported: 2020-12-07 23:25 UTC by GLSAMaker/CVETool Bot
Modified: 2020-12-23 01:12 UTC (History)
2 users (show)

See Also:
Package list:
net-dns/unbound-1.13.0
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-12-07 23:25:52 UTC 
CVE-2020-28935 (https://nvd.nist.gov/vuln/detail/CVE-2020-28935):
  A symbolic link traversal vulnerability was found in the way nsd and unbound
  writes its PID file while starting up. A local attacker with access to the
  nsd or unbound user could set up a link to another file, owned by root, and
  make unbound overwrite it during its next restart, destroying the original
  content.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-10 21:42:34 UTC 
x86 stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-11 22:10:49 UTC 
arm done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-15 10:36:51 UTC 
amd64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 23:10:59 UTC 
ppc done
Comment 5 ernsteiswuerfel archtester 2020-12-20 23:56:56 UTC 
Looking good on ppc64.

rdep gnutls fails tests (bug #760899).

 # cat unbound-758974.report 
USE tests started on So 20. Dez 23:48:56 CET 2020

FEATURES=' test' USE='' succeeded for =net-dns/unbound-1.13.0
USE='-dnscrypt -ecdsa -ecs -gost -http2 -libressl -python redis static-libs -systemd -threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt -ecdsa ecs gost http2 -libressl -python redis static-libs -systemd -threads' succeeded for =net-dns/unbound-1.13.0
USE='-dnscrypt ecdsa -ecs gost http2 -libressl -python -redis -static-libs systemd -threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt -ecdsa -ecs -gost -http2 -libressl -python -redis static-libs -systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt -ecdsa -ecs -gost -http2 -libressl -python -redis -static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='-dnscrypt ecdsa ecs gost http2 -libressl -python -redis -static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt -ecdsa -ecs gost http2 -libressl -python -redis -static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='-dnscrypt ecdsa ecs -gost -http2 -libressl -python redis -static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt ecdsa -ecs gost http2 -libressl -python -redis static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt -ecdsa -ecs gost http2 -libressl -python -redis static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='-dnscrypt ecdsa ecs -gost -http2 -libressl -python redis static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0
USE='dnscrypt ecdsa -ecs gost -http2 -libressl -python redis static-libs systemd threads' succeeded for =net-dns/unbound-1.13.0

revdep tests started on Mo 21. Dez 00:42:22 CET 2020

USE='dane' FEATURES=' test' failed for net-libs/gnutls
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 05:19:41 UTC 
ppc64 done

all arches done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 05:19:56 UTC 
(In reply to ernsteiswuerfel from comment #5)
> Looking good on ppc64.
>

Thank you!
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 05:20:11 UTC 
Please cleanup.
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 01:12:07 UTC 
GLSA Vote: No

Repository is clean, all done!