Bug 152685

Summary: sysstat: A local attacker could overwrite system files using carefully-crafted symbolic links in the /tmp directory.
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch, bugs.michael, cra, michal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://perso.wanadoo.fr/sebastien.godard/
Whiteboard: LEGACY
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:56 UTC 
A bug was found in the Red Hat sysstat package post and trigger scripts,
which used insecure temporary file names. A local attacker could overwrite
system files using carefully-crafted symbolic links in the /tmp directory.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0107 to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0107
https://rhn.redhat.com/errata/RHSA-2004-093.html



------- Additional Comments From bugs.michael 2004-03-11 11:30:13 ----

rh73:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fac26b558d57d00f88439fb882f79bbe6a5d73d5  sysstat-4.0.3-3.legacy.src.rpm
d3d0088d82d7f8ad04d36dcf3807d1f68b57ea49  sysstat-4.0.3-3.legacy.i386.rpm

http://riva.homelinux.org/users/ms/sysstat-4.0.3-3.legacy.src.rpm
http://riva.homelinux.org/users/ms/sysstat-4.0.3-3.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAUNoh0iMVcrivHFQRAhX1AJ0bvIbMzyyE2h6PXNoaetSPbYK3/ACfY/qV
nrwxI6nMayWunubRYTxcTjI=
=zoY0
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-03-11 11:32:11 ----

Correct URLs:

http://riva.homelinux.org/users/ms/rpms/sysstat-4.0.3-3.legacy.src.rpm
http://riva.homelinux.org/users/ms/rpms/sysstat-4.0.3-3.legacy.i386.rpm




------- Additional Comments From bugs.michael 2004-03-26 06:13:43 ----

*** Bug 1375 has been marked as a duplicate of this bug. ***



------- Additional Comments From skvidal.edu 2004-04-30 19:33:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Verified modification matches those for RHL9
Built Package
Installed, tested, no change to functionality
 
One Problem - md5sum on src.rpm listed in bugzilla comments
does not match md5sum I get
- From download I get:
bce103af8a24726153e950e3c78784fe  sysstat-4.0.3-3.legacy.src.rpm
 
What gives?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAkzZ91Aj3x2mIbMcRApIQAJsG3+9s9yj+iHZhS13KuboIyWZSpgCcC0/c
xjKH/0Z6Prp+RYXYLlZuSNw=
=oOeu
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-05-01 01:28:19 ----

Fedora Legacy uses SHA1, not MD5.



------- Additional Comments From skvidal.edu 2004-05-01 02:49:37 ----

and the sha1sum still doesn't match
sha1sum sysstat-4.0.3-3.legacy.src.rpm
320e34917ad0a10c8988cf0b03b8c83dbcb38f96  sysstat-4.0.3-3.legacy.src.rpm




------- Additional Comments From bugs.michael 2004-05-01 04:04:01 ----

D'oh! Packages are signed anyway. I hate those extra checksum crap.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1
d3d0088d82d7f8ad04d36dcf3807d1f68b57ea49  sysstat-4.0.3-3.legacy.i386.rpm
226e522d29a95282e7b490d6ec7fa838706e065e  sysstat-4.0.3-3.legacy.src.rpm

MD5
ce24c3909fe3446be09972f68811390d  sysstat-4.0.3-3.legacy.i386.rpm
bce103af8a24726153e950e3c78784fe  sysstat-4.0.3-3.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAk64F0iMVcrivHFQRAjDuAJ0QyPG8k2keE7k5+nLnRUXw1xJRxACghx8I
nT801iBXbi1p6DLaHIrgDR0=
=Itiz
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-05-01 04:20:23 ----

Your md5 is correct, your sha1 is not.




------- Additional Comments From skvidal.edu 2004-05-01 05:40:56 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Discovered why my sha1sum was wrong - silly reason.
Everything checks out now.
This looks good
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAk8T81Aj3x2mIbMcRAk1WAJwMQaJCHQBCQYQvDBvzr6hHXBtu+gCggx2L
55P/p1QxHcBORtYU7lGn+U4=
=blej
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-05-01 06:32:05 ----

I have done basic testing of sysstat and it seems to be working ok on RH 7.3.



------- Additional Comments From skvidal.edu 2004-05-04 18:54:06 ----

Johnny, Can we get a clearsigned PUBLISH from you so this one can go?





------- Additional Comments From jkeating 2004-05-05 16:39:45 ----

Missing 7.2/8.0 packages, will have to make those.



------- Additional Comments From marcdeslauriers 2004-05-27 16:23:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for 8.0:

87f90c4126b76e36d82f7c3e71bdcf15783b05e6  sysstat-4.0.5-4.legacy.i386.rpm
47a8b00f0b38be434fac3b4d3d35dca7b11bfcf9  sysstat-4.0.5-4.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/8.0/sysstat-4.0.5-4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/8.0/sysstat-4.0.5-4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAtqJ/LMAs/0C4zNoRAhjBAJ9nZZqL5XUCMcJxP3Tol0NDDgw4AgCeMB1z
FkFTOW1wD9pVjzkEMld28Kw=
=5iJd
-----END PGP SIGNATURE-----



------- Additional Comments From cra 2004-05-30 12:49:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1 sums and GPG sigs verify.

88c5f9ca47bee745ce6ee83ee964d1716acafed5  sysstat-4.0.3-2.i386.rpm
d33bbbe38899448417cabd9c93d7bfc114739802  sysstat-4.0.3-2.src.rpm
d3d0088d82d7f8ad04d36dcf3807d1f68b57ea49  sysstat-4.0.3-3.legacy.i386.rpm
226e522d29a95282e7b490d6ec7fa838706e065e  sysstat-4.0.3-3.legacy.src.rpm

Verified only functional diff between sysstat-4.0.3-2.src.rpm
and sysstat-4.0.3-3.legacy.src.rpm is the %triggerpostun fix.

Verified no difference between binaries in sysstat-4.0.3-2.i386.rpm
and sysstat-4.0.3-3.legacy.i386.rpm.

(See clearsigned attachments for details)

Seems to be working on 7.3 after basic testing.

PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAumSVw2eg+Um7WIYRAtnFAKCADGf7Wgk7wgEM8nIk+COX+JiY/wCeK7xO
hvtlxLP+f7pNTNBg33jGGgs=
=FAtx
-----END PGP SIGNATURE-----




------- Additional Comments From cra 2004-05-30 12:51:24 ----

Created an attachment (id=701)
difference between sysstat-4.0.3-2.i386.rpm and sysstat-4.0.3-3.legacy.i386.rpm




------- Additional Comments From cra 2004-05-30 12:52:36 ----

Created an attachment (id=702)
difference between sysstat-4.0.3-2.src.rpm and sysstat-4.0.3-3.legacy.src.rpm




------- Additional Comments From jkeating 2004-05-31 12:39:54 ----

Pushed to updates-testing.

  http://download.fedoralegacy.org/redhat/
 
c1af56083459a8b771846142e668a24765b35b58 
7.3/updates-testing/SRPMS/sysstat-4.0.3-3.legacy.src.rpm
62cf6b1362f2a9eeec5ea39a7aa2e1dc0f5c74d7 
7.3/updates-testing/i386/sysstat-4.0.3-3.legacy.i386.rpm



------- Additional Comments From michal 2004-05-31 14:10:02 ----

Created an attachment (id=704)
additional patches for sysstat

Ouch!  There is an issue.  The last update to sysstat for RH9 had the following

entry in a changelog:

* Tue Feb 24 2004 Nils Philippsen <nphilipp> 4.0.7-3.rhl9.1

- fix insecure tmp files in scripts (#78212)
- handle interface names longer than 5 characters (#92052)
- increase maximum number of partitions (#110822)

I thought that I submitted corresponding patches to 4.0.3 a long time ago
but now I could not find them in bugzilla.  Either I eventually forgot or
this was another report.  Anyway, here they are.



------- Additional Comments From michal 2004-05-31 14:13:38 ----

An attachment from comment #19 is a short tar.gz file.  Bugzilla seems
to be loosing that info.  Oh, well...



------- Additional Comments From bugs.michael 2004-05-31 14:33:21 ----

(From update of attachment 704)
correct MIME type for attachment 704




------- Additional Comments From jkeating 2004-06-10 16:08:50 ----

Packages including patch from comment #19 have been built and uploaded for QA

http://geek.j2solutions.net/rpms/legacy/sysstat/

3d956eb232bce72e0a6fc5c93f08fc1234e05222  7.3/sha1sums
cde9abc53ca5b87ce9e6f91b9f625c352b020969  7.3/sysstat-4.0.3-4.legacy.i386.rpm
c46c4a9b7f9e6af137f1fafd47331b93ccf85c3d  7.3/sysstat-4.0.3-4.legacy.src.rpm



------- Additional Comments From marcdeslauriers 2004-06-19 14:13:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on the package:

c46c4a9b7f9e6af137f1fafd47331b93ccf85c3d  sysstat-4.0.3-4.legacy.src.rpm

* Spec file changes make sense
* Patches make sense
* Build, installs and runs OK

Although the patches introduced since 4.0.3-3.legacy don't seem to correct
security issues, I guess they should be in for completeness.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA1NaZLMAs/0C4zNoRAuGjAKCajbk6Y1m5qELDxwc042SKELhfsgCfcRh7
7SNmwR8PdiYUTxQ9zwUfpQM=
=PiB+
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-06-19 14:44:54 ----

Did you check whether patches applied to sysstat 4.0.7 are fully compatible with
sysstat 4.0.3 in the rest of the 4.0.3 code, too?




------- Additional Comments From marcdeslauriers 2004-06-19 16:58:22 ----

The patches that were added are the same patches that were made for 4.0.1 for
RHAS2.1 and 4.0.7 for RHL9. I checked them out, and there should be no problem
with 4.0.3.

Do you suspect otherwise?



------- Additional Comments From ckelley 2004-09-14 11:12:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
c46c4a9b7f9e6af137f1fafd47331b93ccf85c3d  sysstat-4.0.3-4.legacy.src.rpm
 
Builds just fine.
The maxparts patch is trivial and looks good.
The logifnames patch has a lot of good changes;  they all look reasonable.
Running sa1 and sa2 after installation works as expected.
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBR16pyQ+yTHz+jJkRAn7IAKCTwwB34UvAH8BNcD2yR0LID5jrcQCeIcge
KaXAXHsjVvgursIOZvo2T6s=
=0vjD
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-09-24 10:28:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

c46c4a9b7f9e6af137f1fafd47331b93ccf85c3d  sysstat-4.0.3-4.legacy.src.rpm

- - sources are identical apart from expected patches
- - patches look sane
- - builds from source
- - iostat tested as functional

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBVIKaYzuFKFF44qURAppwAKC2k22EjAf7G1sPXotKZDCl/XIeYQCfWlW0
G71UT2bxzvHQc9nKMus5oWw=
=zTZR
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers 2004-09-27 11:26:40 ----

New packages have been built and will be pushed to updates-testing.



------- Additional Comments From marcdeslauriers 2004-09-28 01:48:00 ----

Pushed to updates-testing



------- Additional Comments From ckelley 2004-09-28 05:18:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
b2d1ced29b39cd024169b173d01db6fa99327bfb  sysstat-4.0.3-4.legacy.i386.rpm
5bd937c2c0d643ba5a4dcab9c1f5ded2d67c9fb5  sysstat-4.0.3-4.legacy.src.rpm
 
Binary package installs just fine.  System stat programs run just
fine; sa[12] update fine as well.  Source package rebuilds fine, and
the SHA1 sums match the binary package:
 
dc70e5fb7c58d878d1869858c9f24f47b5098a58  /etc/cron.d/sysstat
2dc9e5513bbad5bae4d571ab7ff8f57c430a72eb  /usr/bin/iostat
50fcef889ae42d0a3ca1e0d02b155ad6fcb06d69  /usr/bin/isag
322ba7a152e16724d09d1688bd5615bb393ba5be  /usr/bin/mpstat
3c8ec81ab851ec4008995a2c53d5a917bbc69d24  /usr/bin/sar
29543bb4700f770139633e5567037417cf615265  /usr/lib/sa/sa1
0b604ea0749073cce8ab1dc36d162f33a2d6426c  /usr/lib/sa/sa2
d811443a8208799f476ecc3a4526d16ec7834134  /usr/lib/sa/sadc
 
+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBWYCuyQ+yTHz+jJkRAm1KAJ9mkoccq7hoqqUcwpWvGtbZlQ6RpQCgkiOM
g17bFlCwCUISKvZJngyFE2o=
=tkwE
-----END PGP SIGNATURE-----




------- Additional Comments From cra 2004-10-02 17:20:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA/Verify rh73 packages:

b2d1ced29b39cd024169b173d01db6fa99327bfb  sysstat-4.0.3-4.legacy.i386.rpm
5bd937c2c0d643ba5a4dcab9c1f5ded2d67c9fb5  sysstat-4.0.3-4.legacy.src.rpm

- - good sigs from 1024D/731002FA 2004-01-19 Fedora Legacy
(http://www.fedoralegacy.org) <secnotice>
- - good sha1sums
- - verified that these patches apply, as mentioned in changelog:

        Patch10: sysstat-4.0.3-longifnames.patch
        Patch11: sysstat-4.0-maxparts.patch

- - rpm-build-compare.sh shows no unintended changes between these pkgs
  and 4.0.3-2.

- - installs ok
- - works ok

++VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBX28Qw2eg+Um7WIYRAproAJ4g3JjL/gTShXxWofTOQ2NCaN2BHgCfcpeX
PstFihvZG/cUYDOEqge7t7I=
=cU1v
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-02 18:05:27 ----

Pushed to updates.



------- Additional Comments From bozo 2004-10-04 07:00:17 ----

Hi, I installed this today on two RH 7.3 systems; now sar doesn't work right,
and I don't think iostat is right either (always shows same values).

Does the sysstat db have to be rebuilt or something?

# sar
Linux 2.4.20-30.7.legacysmp (mail.pennysaverusa.net)    10/04/2004

12:00:00 AM       CPU     %user     %nice   %system     %idle
04:45:59 AM       all      1.69      1.32     51.75      0.00
04:00:00 PM       all    106.58    107.03     92.61      0.02
04:00:00 PM       all      0.00     99.98      0.00      0.00
04:00:00 PM       all    357831.82    6243.18    7925.00    101195.45
04:00:00 PM       all    100.00      0.10    100.00     40.10
03:08:32 PM       all    99205.16    99105.98      0.00      0.00
04:00:23 PM       all      0.00      0.00    9854.87      0.00
04:00:00 PM       all    101.13      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
03:04:21 PM       all      0.00    124.22      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
05:41:17 AM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00    53897628800.00    2852400.00    4689771200.00
09:19:31 AM       all      0.00    200.98    229.82      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00

04:00:00 PM       CPU     %user     %nice   %system     %idle
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:01:03 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00    6300.00
04:00:08 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00     81.39      0.00      0.08
04:30:15 AM       all    54359.28    8145211.15    590.03      0.00
04:55:04 AM       all    28674.27    26748.96    28723.77      1.85
02:17:48 PM       all      0.00    100.32      0.00      0.00
09:07:31 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all    429496627300.00    429496725100.00    3400.00   
172404782700.00
12:48:01 AM       all      0.16    100.64    99759.49      0.00
04:00:00 PM       all    100.10      1.02      0.00      0.00
04:00:08 PM       all    429496728100.00    424703030500.00    429496727800.00 
    0.00
04:00:00 PM       all      0.00    85473067600.00    100.00    300.00
04:00:00 PM       all      0.04    143241104.23      0.00      0.17
04:00:00 PM       all      0.00     99.62      0.00      0.00
04:00:00 PM       all      0.00    2225584000.00      0.00    123064775900.00
12:15:48 PM       all      0.00    427271145600.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00    348.21      0.00    198.88
04:00:00 PM       all      0.00     64.38      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00

04:00:00 PM       CPU     %user     %nice   %system     %idle
08:06:56 AM       all      0.00    429496729400.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00    6300.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00    6300.00      0.00      0.00
04:00:00 PM       all      0.00    429496723300.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
04:00:00 PM       all      0.00      0.00      0.00      0.00
End of system activity file unexpected
# 




------- Additional Comments From bozo 2004-10-04 08:14:46 ----

Ignore comment about iostat; it seems to be OK.

sar only works correctly after deleting current log(s) from /var/log/sa/

Thanks,
Barry




------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1372 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1372
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
difference between sysstat-4.0.3-2.i386.rpm and sysstat-4.0.3-3.legacy.i386.rpm
https://bugzilla.fedora.us/attachment.cgi?action=view&id=701
difference between sysstat-4.0.3-2.src.rpm and sysstat-4.0.3-3.legacy.src.rpm
https://bugzilla.fedora.us/attachment.cgi?action=view&id=702
additional patches for sysstat
https://bugzilla.fedora.us/attachment.cgi?action=view&id=704

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was jonny.strom.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.