Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 246013 (CVE-2008-4953) - <net-firewall/firehol-1.273-r1 symlink attack (CVE-2008-4953)
Summary: <net-firewall/firehol-1.273-r1 symlink attack (CVE-2008-4953)
Status: RESOLVED FIXED
Alias: CVE-2008-4953
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-11-07 21:58 UTC by Stefan Behte (RETIRED)
Modified: 2009-07-16 12:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch (0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch,1.69 KB, patch)
2009-01-06 22:28 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 21:58:33 UTC
CVE-2008-4953 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4953):
  ** DISPUTED **  firehol in firehol 1.256 allows local users to
  overwrite arbitrary files via a symlink attack on (1)
  /tmp/.firehol-tmp-#####-*-* and (2) /tmp/firehol.conf temporary
  files.  NOTE: the vendor disputes this vulnerability, stating that an
  attack "would require an attacker to create 1073741824*PID-RANGE
  symlinks."
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 22:01:37 UTC
http://dev.gentoo.org/~rbu/security/debiantemp/firehol
I did not test 1.273, because it wont let me ebuild ... unpack it (EAPI issues), but the other versions are vuln.

There won't be a vendor-supplied fix and the package has no maintainer. Shall we remove it?!

Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-06 22:27:30 UTC
Kerin and Gordon seem to have some interest in the program, and considering this has an almost zero attack vector, I would no go for removal.

I'll attach a patch, can someone else please review, and are you guys able to test this? Thanks.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-01-06 22:28:51 UTC
Created attachment 177606 [details, diff]
0001-Use-mktemp-instead-of-relying-that-RANDOM-RANDO.patch
Comment 4 Gordon Malm (RETIRED) gentoo-dev 2009-01-08 23:19:57 UTC
I'm unable to test as I don't use it.  I just bumped it @ Kerin's request because he provided the bump, I trust his work is always quality and he's a great help/contributor.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-08 23:56:13 UTC
The patch looks good.
Read to vote, I vote NO.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-01-09 00:17:27 UTC
Let's get this tested, committed and stable first :-)
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-10 00:41:48 UTC
I thought that we could do parallel voting and testing/commiting/stabling, I should have changed to [ebuild/glsa?] though.
Comment 8 Gordon Malm (RETIRED) gentoo-dev 2009-03-26 23:43:34 UTC
Kerin.. have any interest in testing this patch?
Comment 9 Kerin Millar 2009-03-29 05:51:22 UTC
Re: Comment 2 - Thanks for your consideration and for the patch.

Re: Comment 8 - Yes, especially as I have recently re-instated my Linux-based gateway after a protracted hiatus caused by a change of ISP and hardware-related matters. As such, I have just applied the patch to a newer version which I am currently using (1.286) and it works as expected. Duly, it gets the thumbs up from these quarters!
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 16:06:20 UTC
+*firehol-1.273-r1 (15 Jul 2009)
+
+  15 Jul 2009; Robert Buchholz <rbu@gentoo.org>
+  +files/firehol-1.273-CVE-2008-4953.patch, +firehol-1.273-r1.ebuild:
+  Patch CVE-2008-4953, symlink attack on a firehol directory in /tmp. Patch
+  tested by Kerin Millar, thanks. Fixes bug 246013.
+
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-15 16:06:55 UTC
Arches, please test and mark stable:
=net-firewall/firehol-1.273-r1
Target keywords : "x86"
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-16 08:03:16 UTC
x86 stable
Comment 13 Kerin Millar 2009-07-16 12:08:57 UTC
Please target amd64 also.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 12:17:41 UTC
Kerin, the ebuild has not been stable on amd64 before. It is therefore against our (security's) policy to request stabling.
I fully agree the package should also have a stable on amd64, but it should be done in accordance with the regular time lines (i.e. 30 days after being in the tree, no open bugs). Please open a bug around August 15 to request stabling of this version on amd64. Feel free to put me in cc on that bug if there's any issue.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 12:18:57 UTC
glsa vote: i vote NO as the $RANDOM-$RANDOM makes success of an attack highly unlikely. CVE is disputed for this reason.
Comment 16 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-16 12:26:47 UTC
Craig's NO in comment 5, my NO here. Closing.