The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier
uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3)
vrrp.pid files in /var/run/, which allows local users to kill arbitrary
processes by writing a PID to one of these files.
Bumped with the fix from the debian patchset.
Tested by infra on amd64.
Arches, please stabilize 1.2.2-r3.
alpha amd64 hppa ia64 ppc ppc64 s309 sparc x86
Stable for HPPA.
Stable on alpha.
Re-adding ppc64 to mark stable (looks like the wrong arch was accidentally removed from CC).
Thanks, folks. GLSA Vote: yes.
GLSA vote: yes.
Filing new GLSA request.
This issue was resolved and addressed in
GLSA 201207-07 at http://security.gentoo.org/glsa/glsa-201207-07.xml
by GLSA coordinator Sean Amoss (ackle).