Debian Bug report logs - #496410
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: cman; Maintainer for cman is Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>; Source for cman is src:redhat-cluster.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:11:16 UTC

Severity: important

Tags: security

Fixed in versions redhat-cluster/2.20081102-1, redhat-cluster/2.20080801-4+lenny1

Done: Stefan Fritsch <sf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:29 +0400
Package: cman
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 496410@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496410@bugs.debian.org
Subject: Re: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 13:15:07 -0700
severity 496410 important
thanks

On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
> Package: cman
> Severity: grave

> Binary-package: cman (2.20080629-1)
>     file: /usr/sbin/fence_egenera

The broken usage is:

	local *egen_log;
	open(egen_log,">/tmp/eglog");
	[...]
	print egen_log "shutdown: $trys    $status\n";
	[...]
	print egen_log "shutdown: crash dump being performed. Waiting\n";
	[...]
	print egen_log "shutdown: $cmd  being called, before open3\n";
	[...]
	print egen_log "shutdown: after calling open3\n";
	[...]
	print egen_log "shutdown: Open3 result: ", @outlines, "\n";
	[...]
	print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn\n";

This is, of course, wrong, and subject to symlink attack.  However, I don't
see any way that this can be exploitable for privilege escalation, which is
the standard for 'grave' severity security bugs: it doesn't allow arbitrary
output to the file, only a finite set of strings which are not valid shell,
cron entries, password/shadow entries, or any other config file that I know
of.

So at best this appears to be a DoS symlink attack; therefore downgrading.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Severity set to `important' from `grave' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sun, 24 Aug 2008 20:18:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #17 received at 496410@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: Steve Langasek <vorlon@debian.org>
Cc: 496410@bugs.debian.org
Subject: Re: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 10:40:31 +0400
[Message part 1 (text/plain, inline)]
tags 496410 security
thanks

On 13:15 Sun 24 Aug     , Steve Langasek wrote:
SL> severity 496410 important
SL> thanks

You are mistake :)

Your script places in /usr/sbin, ie it runs with root privs.
If I create symlink /etc/shadow -> /tmp/eglog and You start this script,
then your system 'll damaged.

Please, check it again :) (and please, revert severity level)

SL> On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
SL>> Package: cman
SL>> Severity: grave

SL>> Binary-package: cman (2.20080629-1)
SL>>     file: /usr/sbin/fence_egenera

SL> The broken usage is:

SL> local *egen_log;
SL> open(egen_log,">/tmp/eglog");
SL> [...]
SL> print egen_log "shutdown: $trys    $status\n";
SL> [...]
SL> print egen_log "shutdown: crash dump being performed. Waiting\n";
SL> [...]
SL> print egen_log "shutdown: $cmd  being called, before open3\n";
SL> [...]
SL> print egen_log "shutdown: after calling open3\n";
SL> [...]
SL> print egen_log "shutdown: Open3 result: ", @outlines, "\n";
SL> [...]
SL> print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn\n";

SL> This is, of course, wrong, and subject to symlink attack.  However, I don't
SL> see any way that this can be exploitable for privilege escalation, which is
SL> the standard for 'grave' severity security bugs: it doesn't allow arbitrary
SL> output to the file, only a finite set of strings which are not valid shell,
SL> cron entries, password/shadow entries, or any other config file that I know
SL> of.

SL> So at best this appears to be a DoS symlink attack; therefore downgrading.
--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #22 received at 496410@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Cc: 496410@bugs.debian.org
Subject: Re: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 23:57:56 -0700
On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote:
> On 13:15 Sun 24 Aug     , Steve Langasek wrote:
> SL> severity 496410 important
> SL> thanks

> You are mistake :)

> Your script places in /usr/sbin, ie it runs with root privs.
> If I create symlink /etc/shadow -> /tmp/eglog and You start this script,
> then your system 'll damaged.

The standard for grave-severity security bugs in Debian is "can be used by
an attacker to gain control of an account of a user who uses this package",
not "can be used by an attacker to create a Denial of Service by breaking
the system".  Writing this garbage to /etc/shadow will not result in
privilege escalation, it will only result in a broken system; therefore, it
is my understanding that this is not a grave bug.

So I don't think I've made a mistake here.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:45 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:35 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <unera@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 496410@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <unera@debian.org>
To: 496410@bugs.debian.org, control@bugs.debian.org
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 19:12:29 +0400
[Message part 1 (text/plain, inline)]
severity 496410 grave
thanks

SL> So I don't think I've made a mistake here.

You are mistake, see
http://www.debian.org/Bugs/Developer.en.html#severities

quote:

grave
    makes the package in question unusable or mostly so, or causes data
    loss, or introduces a security hole allowing access to the accounts
    of users who use the package.


_or_ _causes_ _data_ _loss_

create symlink /etc/shadow -> /tmp/eglog and you are loss 
data of /etc/shadow :)

--
... mpd is off

. ''`.                               Dmitry E. Oboukhov
: :’  : mailto://unera@debian.org jabber://UNera@uvw.ru
`. `~’              GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Severity set to `grave' from `important' Request was from "Dmitry E. Oboukhov" <unera@debian.org> to control@bugs.debian.org. (Wed, 27 Aug 2008 15:15:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #38 received at 496410@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: "Dmitry E. Oboukhov" <unera@debian.org>, 496410@bugs.debian.org
Subject: Re: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 17:26:59 +0200
severity 496410 important
thanks

On Wed, Aug 27, 2008 at 07:12:29PM +0400, Dmitry E. Oboukhov wrote:
> _or_ _causes_ _data_ _loss_

It does not cause data loss, the admin needs to execute it. And now stop
bitching around.

Bastian

-- 
Superior ability breeds superior ambition.
		-- Spock, "Space Seed", stardate 3141.9




Severity set to `important' from `grave' Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Wed, 27 Aug 2008 15:30:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Sat, 11 Oct 2008 11:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Klauser <tklauser@distanz.ch>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Sat, 11 Oct 2008 11:57:02 GMT) Full text and rfc822 format available.

Message #45 received at 496410@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@distanz.ch>
To: 496410@bugs.debian.org
Subject: Re: Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Date: Sat, 11 Oct 2008 13:56:02 +0200
Hi,

It looks like there are some more tempfile creation problems in the
redhat-cluster source package.

1) In rgmanager/src/daemons/main.c (line 707):

	void
	dump_internal_state(char *loc)
	{
		FILE *fp;
		fp=fopen(loc, "w+");
		dump_config_version(fp);
		dump_threads(fp);
		dump_vf_states(fp);
	#ifdef WRAP_THREADS
		dump_thread_states(fp);
	#endif
		dump_cluster_ctx(fp);
		//malloc_dump_table(fp, 1, 16384); /* Only works if alloc.c us used */
		fclose(fp);
	}
	...
	dump_internal_state("/tmp/rgmanager-dump");

This file is part of the binary clurgmgrd (package rgmanager) which is run as
root.

2) In gfs2/edit/savemeta.c (line 27):

	#define DFT_SAVE_FILE "/tmp/gfsmeta"
	...
	if (!out_fn)
                out_fn = DFT_SAVE_FILE;
        out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
        if (out_fd < 0)
                die("Can't open %s: %s\n", out_fn, strerror(errno));

        if (ftruncate(out_fd, 0))
                die("Can't truncate %s: %s\n", out_fn, strerror(errno));

This file is part of the binary gfs2_edit (package gfs2-tools) which is run as
root.

3) In ccs/ccs_tool/upgrade.c (line 223):

	sprintf(tmp_file, "/tmp/tmp_%d", getpid());

	tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR)
	...
	unlink(tmp_file);

The filename is only depended on the PID of the process. Though, the binary
ccs_tool does not seem to be part of any package built from the redhat-cluster
source package.

Cheers, Tobias




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Fri, 17 Oct 2008 12:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 17 Oct 2008 12:33:03 GMT) Full text and rfc822 format available.

Message #50 received at 496410@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 496410@bugs.debian.org
Subject: Re: The possibility of attack with the help of symlinks in some Debian packages
Date: Fri, 17 Oct 2008 14:23:11 +0200
[Message part 1 (text/plain, inline)]
Hi,
the following two additional CVE ids have been assigned to 
symlink issues in cman & redhat-cluster:
CVE-2008-4579[0]:
| The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
| fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
| allows local users to append to arbitrary files via a symlink attack
| on the apclog temporary file.

CVE-2008-4580[1]:
| fence_manual in fence allows local users to modify arbitrary files via
| a symlink attack on the fence_manual.fifo temporary file.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4579
    http://security-tracker.debian.net/tracker/CVE-2008-4579
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4580
    http://security-tracker.debian.net/tracker/CVE-2008-4580

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Tags added: pending Request was from Frederik Schüler <fs@alioth.debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 12:24:11 GMT) Full text and rfc822 format available.

Reply sent to Frederik Schüler <fs@debian.org>:
You have taken responsibility. (Mon, 03 Nov 2008 18:21:02 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Mon, 03 Nov 2008 18:21:03 GMT) Full text and rfc822 format available.

Message #57 received at 496410-close@bugs.debian.org (full text, mbox):

From: Frederik Schüler <fs@debian.org>
To: 496410-close@bugs.debian.org
Subject: Bug#496410: fixed in redhat-cluster 2.20081102-1
Date: Mon, 03 Nov 2008 18:17:04 +0000
Source: redhat-cluster
Source-Version: 2.20081102-1

We believe that the bug you reported is fixed in the latest version of
redhat-cluster, which is due to be installed in the Debian FTP archive:

cman_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/cman_2.20081102-1_amd64.deb
gfs-tools_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/gfs-tools_2.20081102-1_amd64.deb
gfs2-tools_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/gfs2-tools_2.20081102-1_amd64.deb
gnbd-client_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/gnbd-client_2.20081102-1_amd64.deb
gnbd-server_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/gnbd-server_2.20081102-1_amd64.deb
libcman-dev_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/libcman-dev_2.20081102-1_amd64.deb
libcman2_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/libcman2_2.20081102-1_amd64.deb
libdlm-dev_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/libdlm-dev_2.20081102-1_amd64.deb
libdlm2_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/libdlm2_2.20081102-1_amd64.deb
redhat-cluster-source_2.20081102-1_all.deb
  to pool/main/r/redhat-cluster/redhat-cluster-source_2.20081102-1_all.deb
redhat-cluster-suite_2.20081102-1_all.deb
  to pool/main/r/redhat-cluster/redhat-cluster-suite_2.20081102-1_all.deb
redhat-cluster_2.20081102-1.diff.gz
  to pool/main/r/redhat-cluster/redhat-cluster_2.20081102-1.diff.gz
redhat-cluster_2.20081102-1.dsc
  to pool/main/r/redhat-cluster/redhat-cluster_2.20081102-1.dsc
redhat-cluster_2.20081102.orig.tar.gz
  to pool/main/r/redhat-cluster/redhat-cluster_2.20081102.orig.tar.gz
rgmanager_2.20081102-1_amd64.deb
  to pool/main/r/redhat-cluster/rgmanager_2.20081102-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frederik Schüler <fs@debian.org> (supplier of updated redhat-cluster package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 03 Nov 2008 18:16:49 +0100
Source: redhat-cluster
Binary: redhat-cluster-suite cman libcman2 libcman-dev libdlm2 libdlm-dev gfs-tools gfs2-tools gnbd-client gnbd-server rgmanager redhat-cluster-source
Architecture: source amd64 all
Version: 2.20081102-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Frederik Schüler <fs@debian.org>
Description: 
 cman       - Red Hat cluster suite - cluster manager
 gfs-tools  - Red Hat cluster suite - global file system tools
 gfs2-tools - Red Hat cluster suite - global file system 2 tools
 gnbd-client - Red Hat cluster suite - global network block device client tools
 gnbd-server - Red Hat cluster suite - global network block device server tools
 libcman-dev - Red Hat cluster suite - cluster manager development files
 libcman2   - Red Hat cluster suite - cluster manager libraries
 libdlm-dev - Red Hat cluster suite - distributed lock manager development file
 libdlm2    - Red Hat cluster suite - distributed lock manager library
 redhat-cluster-source - Red Hat cluster suite - kernel modules source
 redhat-cluster-suite - Red Hat cluster suite - metapackage
 rgmanager  - Red Hat cluster suite - clustered resource group manager
Closes: 496410 503610
Changes: 
 redhat-cluster (2.20081102-1) unstable; urgency=medium
 .
   * New upstream release version 2.03.09.
     - Upstream code audit fixes several tmpfile race conditions, among
       them CVE-2008-4579 and CVE-2008-4580. (Closes: #496410)
     - Drop 01_qdisk-uninitialized.dpatch and 02_gfs-kernel-fix.dpatch:
       merged upstream.
    * Add svedish debconf translation, thanks to Martin Bagge.
     (Closes: #503610)
   * Cman: add sg3-utils dependency for scsi_reserve support.
Checksums-Sha1: 
 d993e2d0b4166f2aafc6a46ffd67ae35b806b845 1653 redhat-cluster_2.20081102-1.dsc
 87463b152540de2175c133d06df26935cd33bbbb 1707777 redhat-cluster_2.20081102.orig.tar.gz
 6ac5240dd053c9c192ee271804b422efddcd49f0 37449 redhat-cluster_2.20081102-1.diff.gz
 172ba44ec8ed3ba8e0bde89e698295f0989a47d4 501350 cman_2.20081102-1_amd64.deb
 75b3bfb13d48845184004b9a898483975c3f03e8 14642 libcman2_2.20081102-1_amd64.deb
 c9c4ced9ee58d5cab793a77765e8bed829304728 18384 libcman-dev_2.20081102-1_amd64.deb
 59305f4a68a679591a908584be30dbb91a7d821e 19154 libdlm2_2.20081102-1_amd64.deb
 712e1cff41a68184ece7e51ea769cfecd12415fa 34292 libdlm-dev_2.20081102-1_amd64.deb
 bcaf6619d1f73c9e77dab6b35e255f1b2b5f1950 195560 gfs-tools_2.20081102-1_amd64.deb
 09f2cff85659d090cc75a0375abea08fa65f1697 317060 gfs2-tools_2.20081102-1_amd64.deb
 71d095bedb4743afa09f7d81ce0999d3b1f76a50 58874 gnbd-client_2.20081102-1_amd64.deb
 5f1b0498eb59d10c5a7bea4971cfc548bc2efcaf 54594 gnbd-server_2.20081102-1_amd64.deb
 7673c0d0f62976c830bbc716fd7adedb30d53267 309402 rgmanager_2.20081102-1_amd64.deb
 3266da5372b6eadeb521e3e894a2c6053932bacc 7256 redhat-cluster-suite_2.20081102-1_all.deb
 d68af08c5d99f43e0f68f6b292212124ab5a1781 174026 redhat-cluster-source_2.20081102-1_all.deb
Checksums-Sha256: 
 2ee22c908813d4a51f56a7aa1fc2f4f5a200f015d8e9e267678b75fc2c78c85c 1653 redhat-cluster_2.20081102-1.dsc
 cb59aaca5d4f85bc9bcd19709c0e93fd377734b82fe795096c6577569402e27d 1707777 redhat-cluster_2.20081102.orig.tar.gz
 166cac4cb2f2c474f019cdcf1630a694080c082147bf4e24ab3114c964d42e16 37449 redhat-cluster_2.20081102-1.diff.gz
 8a5682d35aa36b0fefe54361a3a236da553162072a7bc62b24777faad3b88ba6 501350 cman_2.20081102-1_amd64.deb
 0e674f23cb8d96d3c3fccd8f9c5002d1346c4600a503578158e5d4a63917fc65 14642 libcman2_2.20081102-1_amd64.deb
 e962d56db3480a1dec160ada52c7e2dc761f3f755bfdc6fa11cb88e7fc97b7c1 18384 libcman-dev_2.20081102-1_amd64.deb
 1d2141c8217432b1ba076b904c7fa2cd8c821db45afbd73f221a14ca2fd628ea 19154 libdlm2_2.20081102-1_amd64.deb
 7597e9acfc298d5a42119239f9a7eb37f874911d1c234492b4597c0aad9b8a24 34292 libdlm-dev_2.20081102-1_amd64.deb
 03258affcecd46ae4191812d64907b1d17c45bf31579c7d9d37f84255ff639d2 195560 gfs-tools_2.20081102-1_amd64.deb
 2eb5562981423ebc235ae89f04f3fb529da4284aa8b70f298451cd464fd9f78f 317060 gfs2-tools_2.20081102-1_amd64.deb
 76f7a96ddf4424c9a5be43abc39e0113cc54c755bc894519a53e18ce8c69d197 58874 gnbd-client_2.20081102-1_amd64.deb
 ebe9df6d51d782ed8e0ec3e56edf0ab7fb15c63b70d1d4c1fee30dc862cdcf48 54594 gnbd-server_2.20081102-1_amd64.deb
 b18ea7259b0142492a0b254d633c101807332073ad18df1340567f458f29b038 309402 rgmanager_2.20081102-1_amd64.deb
 e4e3f75adc46c3293b6fd9fa212e48975f5ecb459a2b4c62d2aaa2dc039979f3 7256 redhat-cluster-suite_2.20081102-1_all.deb
 3979b72dd3688814d34dcf11f533976f6dace00b43c75b5845b9830bfb5638f0 174026 redhat-cluster-source_2.20081102-1_all.deb
Files: 
 995efefe76d4403f641dfaf94c960d59 1653 admin optional redhat-cluster_2.20081102-1.dsc
 cf768612d673058a83bb6dcc562582e5 1707777 admin optional redhat-cluster_2.20081102.orig.tar.gz
 0779fdc0089753022f968b29506eec04 37449 admin optional redhat-cluster_2.20081102-1.diff.gz
 886c86d082660837a818dacb6724c8bf 501350 admin optional cman_2.20081102-1_amd64.deb
 e4555460c98c168bf7c401da6f3b7b6b 14642 libs optional libcman2_2.20081102-1_amd64.deb
 b046c4edaaa68bcbeb740dec6c1b169f 18384 libdevel optional libcman-dev_2.20081102-1_amd64.deb
 e68c34bce1665bccfaf29435374d26d8 19154 libs optional libdlm2_2.20081102-1_amd64.deb
 7a4094c34e964cb2896e2674f66f5196 34292 libdevel optional libdlm-dev_2.20081102-1_amd64.deb
 f0c83a6f3f24ad811aa0308422a9fc8a 195560 admin optional gfs-tools_2.20081102-1_amd64.deb
 290b38b81cc5cda5c617eb1b5216d342 317060 admin optional gfs2-tools_2.20081102-1_amd64.deb
 8692b308f069029dd278732d7f28ed44 58874 admin optional gnbd-client_2.20081102-1_amd64.deb
 549379dcbae09bcf7d9ca993aca79991 54594 admin optional gnbd-server_2.20081102-1_amd64.deb
 3a1277bb3e027e28f3c2396a72d2bd0f 309402 admin optional rgmanager_2.20081102-1_amd64.deb
 fc4a1b52dc05b84da8a386b287735b09 7256 admin optional redhat-cluster-suite_2.20081102-1_all.deb
 05c16e4fbfa7514d259ad40dadafdecc 174026 admin optional redhat-cluster-source_2.20081102-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkPO2wACgkQ6n7So0GVSSBP2ACbBbdEgMsLdG5JFi9Q/zY7cTTq
QhEAnAkS4hryticFiSWdjPLD1Rq2ZJN3
=ljKy
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Tue, 18 Nov 2008 19:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Tue, 18 Nov 2008 19:42:06 GMT) Full text and rfc822 format available.

Message #62 received at 496410@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 496410@bugs.debian.org
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 18 Nov 2008 20:40:07 +0100 (CET)
The new upstream version that fixes this bug introduces a lot of other 
changes and doesn't seem acceptable for lenny.

Is anyone working on backporting the fix for a t-p-u upload? I can 
probably do it later this week but I don't want to duplicate work.

Cheers,
Stefan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Fri, 28 Nov 2008 22:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 28 Nov 2008 22:57:04 GMT) Full text and rfc822 format available.

Message #67 received at 496410@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: debian-release@lists.debian.org
Cc: 496410@bugs.debian.org
Subject: redhat-cluster tmpfile fixes
Date: Fri, 28 Nov 2008 23:53:45 +0100 (CET)
Hi,

please accept redhat-cluster 2.20080801-4+lenny1 which I have just 
uploaded to testing-proposed-updates:

   * Fix several tmpfile race conditions, among them CVE-2008-4192 and
     CVE-2008-4579. (Closes: #496410)

Cheers,
Stefan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Fri, 28 Nov 2008 23:27:29 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 28 Nov 2008 23:27:29 GMT) Full text and rfc822 format available.

Message #72 received at 496410@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 496410@bugs.debian.org
Subject: Re: Bug#496410: redhat-cluster tmpfile fixes
Date: Sat, 29 Nov 2008 00:28:27 +0100
On Fri, Nov 28, 2008 at 11:53:45PM +0100, Stefan Fritsch wrote:
> please accept redhat-cluster 2.20080801-4+lenny1 which I have just  
> uploaded to testing-proposed-updates:

Where is the patch? Do I have to remind you about the NMU procedures?

Bastian

-- 
Deflector shields just came on, Captain.




Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Fri, 28 Nov 2008 23:27:31 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Fri, 28 Nov 2008 23:27:32 GMT) Full text and rfc822 format available.

Message #77 received at 496410-close@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: 496410-close@bugs.debian.org
Subject: Bug#496410: fixed in redhat-cluster 2.20080801-4+lenny1
Date: Fri, 28 Nov 2008 23:02:05 +0000
Source: redhat-cluster
Source-Version: 2.20080801-4+lenny1

We believe that the bug you reported is fixed in the latest version of
redhat-cluster, which is due to be installed in the Debian FTP archive:

cman_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/cman_2.20080801-4+lenny1_i386.deb
gfs-tools_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/gfs-tools_2.20080801-4+lenny1_i386.deb
gfs2-tools_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/gfs2-tools_2.20080801-4+lenny1_i386.deb
gnbd-client_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/gnbd-client_2.20080801-4+lenny1_i386.deb
gnbd-server_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/gnbd-server_2.20080801-4+lenny1_i386.deb
libcman-dev_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/libcman-dev_2.20080801-4+lenny1_i386.deb
libcman2_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/libcman2_2.20080801-4+lenny1_i386.deb
libdlm-dev_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/libdlm-dev_2.20080801-4+lenny1_i386.deb
libdlm2_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/libdlm2_2.20080801-4+lenny1_i386.deb
redhat-cluster-source_2.20080801-4+lenny1_all.deb
  to pool/main/r/redhat-cluster/redhat-cluster-source_2.20080801-4+lenny1_all.deb
redhat-cluster-suite_2.20080801-4+lenny1_all.deb
  to pool/main/r/redhat-cluster/redhat-cluster-suite_2.20080801-4+lenny1_all.deb
redhat-cluster_2.20080801-4+lenny1.diff.gz
  to pool/main/r/redhat-cluster/redhat-cluster_2.20080801-4+lenny1.diff.gz
redhat-cluster_2.20080801-4+lenny1.dsc
  to pool/main/r/redhat-cluster/redhat-cluster_2.20080801-4+lenny1.dsc
rgmanager_2.20080801-4+lenny1_i386.deb
  to pool/main/r/redhat-cluster/rgmanager_2.20080801-4+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated redhat-cluster package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 28 Nov 2008 19:15:39 +0100
Source: redhat-cluster
Binary: redhat-cluster-suite cman libcman2 libcman-dev libdlm2 libdlm-dev gfs-tools gfs2-tools gnbd-client gnbd-server rgmanager redhat-cluster-source
Architecture: source i386 all
Version: 2.20080801-4+lenny1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 cman       - Red Hat cluster suite - cluster manager
 gfs-tools  - Red Hat cluster suite - global file system tools
 gfs2-tools - Red Hat cluster suite - global file system 2 tools
 gnbd-client - Red Hat cluster suite - global network block device client tools
 gnbd-server - Red Hat cluster suite - global network block device server tools
 libcman-dev - Red Hat cluster suite - cluster manager development files
 libcman2   - Red Hat cluster suite - cluster manager libraries
 libdlm-dev - Red Hat cluster suite - distributed lock manager development file
 libdlm2    - Red Hat cluster suite - distributed lock manager library
 redhat-cluster-source - Red Hat cluster suite - kernel modules source
 redhat-cluster-suite - Red Hat cluster suite - metapackage
 rgmanager  - Red Hat cluster suite - clustered resource group manager
Closes: 496410
Changes: 
 redhat-cluster (2.20080801-4+lenny1) testing-proposed-updates; urgency=low
 .
   * Non-maintainer upload by the security team.
   * Fix several tmpfile race conditions, among them CVE-2008-4192 and
     CVE-2008-4579. (Closes: #496410)
Checksums-Sha1: 
 dbfc7c0a1a2fd19324263dbe3dd6215a3aea7d2d 1673 redhat-cluster_2.20080801-4+lenny1.dsc
 f3277a8afc828cfff2f9bf3e46a040dd7123485b 26948 redhat-cluster_2.20080801-4+lenny1.diff.gz
 8a7a25789d70199983f015037e4ce70ec90f7e3d 456436 cman_2.20080801-4+lenny1_i386.deb
 088368b4448d021b9bfa81c74a7a9a8c7f38d6b2 13754 libcman2_2.20080801-4+lenny1_i386.deb
 2ca4bcf9232b5db04416dc337526ed80f55ad068 17632 libcman-dev_2.20080801-4+lenny1_i386.deb
 1e8af2274ceb78b2cd1ba41a09b3bd4cd44b7656 17472 libdlm2_2.20080801-4+lenny1_i386.deb
 61d01fb92284a7328f24ccf8ac8859ef1b514954 31960 libdlm-dev_2.20080801-4+lenny1_i386.deb
 49344f12f87305b74901571bf7e8bc7d3685cc78 192042 gfs-tools_2.20080801-4+lenny1_i386.deb
 ca313d0632f2fc0fb72764632f9fe318514af4f7 300086 gfs2-tools_2.20080801-4+lenny1_i386.deb
 36dea408c877d91f91f50e68e91986c5f97dff21 48352 gnbd-client_2.20080801-4+lenny1_i386.deb
 a555f6ed431555a3cb06653dc86e5a87864269c2 47660 gnbd-server_2.20080801-4+lenny1_i386.deb
 13c97332fde9d22eec10747a0609f85310e73342 288028 rgmanager_2.20080801-4+lenny1_i386.deb
 27cb5fde12421182ecaade1c03f9404f9b9a7c74 7152 redhat-cluster-suite_2.20080801-4+lenny1_all.deb
 720ba0c540a8ff25d4240945baff03c3d873267d 171614 redhat-cluster-source_2.20080801-4+lenny1_all.deb
Checksums-Sha256: 
 ed702d64e39a383525873cc30ee562389ffb88058e089de58629d84f823d96c6 1673 redhat-cluster_2.20080801-4+lenny1.dsc
 609046c35d8b2aafe62003193ff0d3161a78d6ee8f37768bfae769a9cad04321 26948 redhat-cluster_2.20080801-4+lenny1.diff.gz
 aa1fd9bb6318920d7c30a9aeacafbe1b5628c4c21769b584b3346fc4ab1c7849 456436 cman_2.20080801-4+lenny1_i386.deb
 4872500323bd85dadbde5faa3d656ddbccea0aaf849f98644a2ac5c969c4d654 13754 libcman2_2.20080801-4+lenny1_i386.deb
 b558ca4785ee528eafe49a663d760894a57da6bb91143f3044414d4d7ce5dd0f 17632 libcman-dev_2.20080801-4+lenny1_i386.deb
 8c684990c56639fc0d4b21012a4b52767b9698d146cfef49a1c9a2636e8fdf4a 17472 libdlm2_2.20080801-4+lenny1_i386.deb
 f4ab369579ad5466890e2dd3c93e10860ec9c670e586d894cf29e9d9792af1cc 31960 libdlm-dev_2.20080801-4+lenny1_i386.deb
 43bf1db4fdbef181ccdd97f088e5d4913eabfeb1052212223124fe6748fc89cb 192042 gfs-tools_2.20080801-4+lenny1_i386.deb
 f6805b2aafd3a3e93acc6ff4ca1b1bc2d53f8b5d97fedb511796b4bed2b5d9db 300086 gfs2-tools_2.20080801-4+lenny1_i386.deb
 3854010822527eddd545bef1089efc6941dd47acd56b8e46a46b3670ad56f253 48352 gnbd-client_2.20080801-4+lenny1_i386.deb
 8f7ff50fc2afac7238f157cb710dd26adea9f7e1f41c03aa3f47b0dc6f8bc7b1 47660 gnbd-server_2.20080801-4+lenny1_i386.deb
 ba6192dd2757a845b24a7d90a957764e600123486407e4b1a50062dc960c33e2 288028 rgmanager_2.20080801-4+lenny1_i386.deb
 759f65642ed6121cafc55b353e260566b9ed0652c3d534b76624cbf1ca2cbc4e 7152 redhat-cluster-suite_2.20080801-4+lenny1_all.deb
 b18509b5a511788967eaadfa4396f6095792f3a9b17e6278e74d5510cb988e8f 171614 redhat-cluster-source_2.20080801-4+lenny1_all.deb
Files: 
 e2d49f4c3d22d8647bed9fed924e5509 1673 admin optional redhat-cluster_2.20080801-4+lenny1.dsc
 aeaaadb2b179c69e13e78876e06a8cc8 26948 admin optional redhat-cluster_2.20080801-4+lenny1.diff.gz
 ec25963615eabc83e6673c8823cbd78e 456436 admin optional cman_2.20080801-4+lenny1_i386.deb
 2edebd2e39698483d8d0e2011f92e2c3 13754 libs optional libcman2_2.20080801-4+lenny1_i386.deb
 c4b91344ee0cdcba4d794c37a445e130 17632 libdevel optional libcman-dev_2.20080801-4+lenny1_i386.deb
 f2eeafbd743f8a2f91f127dd6235cfe2 17472 libs optional libdlm2_2.20080801-4+lenny1_i386.deb
 65e71ff0828500592313f0f946e460e5 31960 libdevel optional libdlm-dev_2.20080801-4+lenny1_i386.deb
 94a6f5c44b18f7d062c6a94758edc426 192042 admin optional gfs-tools_2.20080801-4+lenny1_i386.deb
 9049fc178040ad0158d94c6c05f2af20 300086 admin optional gfs2-tools_2.20080801-4+lenny1_i386.deb
 b0a9fc713d3c056ac8bdcdd55b9fa487 48352 admin optional gnbd-client_2.20080801-4+lenny1_i386.deb
 d476363d8935d246d7d67e8a40301e36 47660 admin optional gnbd-server_2.20080801-4+lenny1_i386.deb
 a2cf1764a1bd90a2712b4b49960abbd7 288028 admin optional rgmanager_2.20080801-4+lenny1_i386.deb
 f18399bda9cccc0da1c95fcfa0171d5a 7152 admin optional redhat-cluster-suite_2.20080801-4+lenny1_all.deb
 ee85ca67f026f8eb9fbe99bb58ebc312 171614 admin optional redhat-cluster-source_2.20080801-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJMHDVbxelr8HyTqQRApYEAKC8NZIuSaVh5pFTLxZJTsFHR43HOACgjpUK
i/scSG3plTq24nR8Su96dbg=
=9tAr
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Fri, 28 Nov 2008 23:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 28 Nov 2008 23:51:02 GMT) Full text and rfc822 format available.

Message #82 received at 496410@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 496410@bugs.debian.org
Subject: Re: Bug#496410: redhat-cluster tmpfile fixes
Date: Sat, 29 Nov 2008 00:46:23 +0100 (CET)
here is the patch




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Fri, 28 Nov 2008 23:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 28 Nov 2008 23:51:04 GMT) Full text and rfc822 format available.

Message #87 received at 496410@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 496410@bugs.debian.org
Subject: Re: Bug#496410: redhat-cluster tmpfile fixes
Date: Sat, 29 Nov 2008 00:47:40 +0100 (CET)
[Message part 1 (text/plain, inline)]
> here is the patch
ups. second try
[patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#496410; Package cman. (Sun, 07 Dec 2008 18:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Sun, 07 Dec 2008 18:18:02 GMT) Full text and rfc822 format available.

Message #92 received at 496410@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: debian-release@lists.debian.org, 496410@bugs.debian.org
Subject: Re: redhat-cluster tmpfile fixes
Date: Sun, 07 Dec 2008 19:15:03 +0100
Stefan Fritsch wrote:
> Hi,
> 
> please accept redhat-cluster 2.20080801-4+lenny1 which I have just
> uploaded to testing-proposed-updates:
> 
>    * Fix several tmpfile race conditions, among them CVE-2008-4192 and
>      CVE-2008-4579. (Closes: #496410)

approved

cheers

Luk




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 06 Jan 2009 07:27:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 05:58:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.