Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 97175 - sys-cluster/heartbeat <= 1.2.3 insecure file creation
Summary: sys-cluster/heartbeat <= 1.2.3 insecure file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.debian.org/security/2005/d...
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-06-27 01:43 UTC by Romang
Modified: 2019-11-28 22:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-06-27 01:43:48 UTC
Hello,

Look at :

cts/CTStests.py.in

873         fstmpfile = "/tmp/band_estimate"
874         dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \
875         %               (port, fstmpfile);

1076             self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1")
1077             if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"):
1078                 line = open("/tmp/drbd").readlines()[2]

1113         if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0:
1114             self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp")
1115             lines=open("/tmp/drbdconf","r")

Also in :

heartbeat/lib/BasicSanityCheck.in

46 LOGFILE=/tmp/linux-ha.testlog

This file contain a lot off actions on the insecure tmp file.

Also in :

lib/stonith/meatclient.c

58         const char *    meatpipe_pr = "/tmp/.meatware";
101                 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost);

Regards.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-05 06:09:22 UTC
(In reply to comment #0)
> cts/CTStests.py.in
> 
> 873         fstmpfile = "/tmp/band_estimate"
> 874         dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \
> 875         %               (port, fstmpfile);

confirmed, insecure temp file handling.

> 1076             self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1")
> 1077             if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"):
> 1078                 line = open("/tmp/drbd").readlines()[2]

confirmed, second order symlink attack.

> 1113         if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0:
> 1114             self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp")
> 1115             lines=open("/tmp/drbdconf","r")

confirmed, second order symlink attack via scp.

> heartbeat/lib/BasicSanityCheck.in
> 
> 46 LOGFILE=/tmp/linux-ha.testlog

confirmed, second order again.

> lib/stonith/meatclient.c
> 
> 58         const char *    meatpipe_pr = "/tmp/.meatware";
> 101                 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost);
> 
> Regards.

confirmed, looks like it needs some O_EXCL goodness line ~103.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-07-11 05:20:20 UTC
Eric, please tell us when upstream is advised...
Comment 3 Romang 2005-07-12 00:29:50 UTC
Hello,

Vendor informed.

Regards.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-07-13 12:55:55 UTC
Leaked by Secunia, SA16039
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-07-18 05:27:01 UTC
Pulling in maintainer
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-18 23:55:18 UTC
Cluster, please provide an updated ebuild. 
Comment 7 Konstantin Arkhipov (RETIRED) gentoo-dev 2005-07-22 07:29:05 UTC
can someone please test and commit this pack-of-debian-security-patches [1] to 
1.2.3?

i have no heartbeat installations currently.

[1] http://dev.gentoo.org/~voxus/stuff/heartbeat-1.2.3-debian_security_fixes.
patch
Comment 8 Christian Zoffoli (RETIRED) gentoo-dev 2005-07-23 07:28:00 UTC
reply to #7: 

sure, I'll test it.
Comment 9 Michael Imhof (RETIRED) gentoo-dev 2005-07-28 14:52:29 UTC
reply to #8:

do they work and if yes, do you want to commit them?
Comment 10 Christian Zoffoli (RETIRED) gentoo-dev 2005-07-28 17:27:21 UTC
heartbeat-1.2.3-r1 is on cvs (with the suggested fix), but it's not marked stable.

Security Team please review it and mark it stable (almost on x86 as the previous
one).

Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-28 22:35:40 UTC
x86 please test and mark stable. 
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-07-31 04:40:27 UTC
x86 testers, or cluster herd: could you test and mark stable on x86 ?
Comment 13 Christian Zoffoli (RETIRED) gentoo-dev 2005-08-01 06:35:23 UTC
The patch works fine but I've found another problem.

LVM scripts in heartbeat doesn't works fine with LVM2, the patch fixes also this
behaviour but we haven't /sbin/lvmiopversion util (from lvm-common) in the portage.

So, I've splitted the patch and marked stable the -r1 ebuild with the security
fix and I've added another ebuild (-r2) with an experimental LVM2 fix.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-08-01 08:04:24 UTC
Please don't close security bugs, we'll do it when we are finished with them.
Security: please vote on GLSA need.

I don't know what to vote, on one hand, those are probably root-executed
scripts, on the other, heartbeat is not something you often find on multiuser
setups... I guess I vote half-yes...
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-01 21:58:28 UTC
Half YES from me as well. 
Comment 16 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-05 00:34:23 UTC
weak YES also
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-08-05 00:37:00 UTC
OK, let's make that a full yes.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-07 01:07:54 UTC
GLSA 200508-05