Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736086 (CVE-2020-10699, CVE-2020-13867) - <sys-block/targetcli-fb-2.1.53: Multiple vulnerabilities (CVE-2020-{10699,13867})
Summary: <sys-block/targetcli-fb-2.1.53: Multiple vulnerabilities (CVE-2020-{10699,138...
Status: RESOLVED FIXED
Alias: CVE-2020-10699, CVE-2020-13867
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/open-iscsi/targetc...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks: python38-stable-needed
  Show dependency tree
 
Reported: 2020-08-05 22:46 UTC by Sam James
Modified: 2020-08-30 22:45 UTC (History)
2 users (show)

See Also:
Package list:
sys-block/targetcli-fb-2.1.53
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-08-05 22:46:27 UTC
Description:
"Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files)."

Let's check if Gentoo is actually affected by this.
Comment 1 Sam James archtester gentoo-dev Security 2020-08-05 22:49:00 UTC
The ebuild does nothing special wrt permissions:
>	keepdir /etc/target /etc/target/backup
>	doman targetcli.8

And these issues (as seen in the patch - see URL on this bug) are resolved via a runtime change. So, yes, it seems we are affected.
Comment 2 Sam James archtester gentoo-dev Security 2020-08-05 22:49:42 UTC
Also:

* CVE-2020-10699

Description:
"A flaw was found in Linux, in targetcli-fb versions 2.1.50 and 2.1.51 where the socket used by targetclid was world-writable. If a system enables the targetclid socket, a local attacker can use this flaw to modify the iSCSI configuration and escalate their privileges to root."

https://github.com/open-iscsi/targetcli-fb/issues/162
Comment 3 Sam James archtester gentoo-dev Security 2020-08-05 22:50:25 UTC
Maintainer, please bump to 2.1.53 ASAP.
Comment 4 Diogo Pereira 2020-08-09 16:39:59 UTC
This needs a bump of dev-python/rtslib-fb first.
I opened https://github.com/gentoo/gentoo/pull/16516 a while ago for that...
Comment 5 Sam James archtester gentoo-dev Security 2020-08-15 01:18:44 UTC
(In reply to Diogo Pereira from comment #4)
> This needs a bump of dev-python/rtslib-fb first.
> I opened https://github.com/gentoo/gentoo/pull/16516 a while ago for that...

Done. Sorry for the delay.
Comment 6 Larry the Git Cow gentoo-dev 2020-08-25 00:10:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=934814f627d542bae52f0500ad6cf003525e23f2

commit 934814f627d542bae52f0500ad6cf003525e23f2
Author:     Diogo Pereira <sir.suriv@gmail.com>
AuthorDate: 2020-08-16 23:14:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-25 00:06:07 +0000

    sys-block/targetcli-fb: bump to 2.1.53
    
    Bug: https://bugs.gentoo.org/722674
    Bug: https://bugs.gentoo.org/736086
    Closes: https://bugs.gentoo.org/718528
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Diogo Pereira <sir.suriv@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17142
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/targetcli-fb/Manifest                   |  1 +
 sys-block/targetcli-fb/targetcli-fb-2.1.53.ebuild | 28 +++++++++++++++++++++++
 2 files changed, 29 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2020-08-25 01:50:51 UTC
x86 done
Comment 8 NATTkA bot gentoo-dev 2020-08-25 12:36:56 UTC
Unable to check for sanity:

> dependent bug #728770 is missing keywords
Comment 9 Sam James archtester gentoo-dev Security 2020-08-25 12:37:56 UTC
amd64 done

all arches done
Comment 10 Sam James archtester gentoo-dev Security 2020-08-25 12:40:48 UTC
amd64 done

all arches done
Comment 11 Sam James archtester gentoo-dev Security 2020-08-25 12:41:14 UTC
Please cleanup.
Comment 12 NATTkA bot gentoo-dev 2020-08-25 12:41:44 UTC
Unable to check for sanity:

> dependent bug #728770 is missing keywords
Comment 13 Larry the Git Cow gentoo-dev 2020-08-30 03:14:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64f2a898441e0332284a6533e4f797b7bbf5a8a5

commit 64f2a898441e0332284a6533e4f797b7bbf5a8a5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:14:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:14:38 +0000

    sys-block/targetcli-fb: security cleanup
    
    Bug: https://bugs.gentoo.org/736086
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/targetcli-fb/Manifest                   |  1 -
 sys-block/targetcli-fb/targetcli-fb-2.1.51.ebuild | 28 -----------------------
 2 files changed, 29 deletions(-)
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-08-30 21:14:48 UTC
This issue was resolved and addressed in
 GLSA 202008-22 at https://security.gentoo.org/glsa/202008-22
by GLSA coordinator Sam James (sam_c).
Comment 15 Larry the Git Cow gentoo-dev 2020-08-30 22:45:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bc8d65d5a15200942dc7c66c1fcc0ba7102099c

commit 2bc8d65d5a15200942dc7c66c1fcc0ba7102099c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 22:45:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 22:45:26 +0000

    sys-block/targetcli-fb: security cleanup
    
    Bug: https://bugs.gentoo.org/736086
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/targetcli-fb/Manifest                   |  1 -
 sys-block/targetcli-fb/targetcli-fb-2.1.49.ebuild | 33 -----------------------
 2 files changed, 34 deletions(-)