Bug 152842

Summary: CAN-2004-0972 LVM "lvmcreate_initrd" Script Insecure Temporary File Creation
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: lvmAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/13083/
Whiteboard: 1, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-24 14:54:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:29:22 UTC
http://secunia.com/advisories/13083/

A vulnerability has been reported in LVM, which can be exploited by malicious,
local users to perform certain actions on a vulnerable system with escalated
privileges.

The vulnerability is caused due to the "lvmcreate_initrd" script creating
temporary files insecurely. This can be exploited via symlink attacks to
overwrite arbitrary files on the system with the privileges of the user invoking
the vulnerable script.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0972

Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136308
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136309

Patch:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=105434&action=view



------- Additional Comments From marcdeslauriers 2005-03-05 11:27:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

Changelog:
* Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-37.7.legacy
- - add security fix for CAN-2004-0975

83d27a0bb1239ce03be764231d8f64e56f1cc5d7  7.3/lvm-1.0.3-4.1.legacy.i386.rpm
85779c6ecce079fffd3ff98abfc73a697596849e  7.3/lvm-1.0.3-4.1.legacy.src.rpm
fe6521923f714921f201b6d24332caa491588dc5  9/lvm-1.0.3-12.1.legacy.i386.rpm
8225c52f86a7ef93bd1b0526de6f77e387986efd  9/lvm-1.0.3-12.1.legacy.src.rpm
78421a854e79ea73217ed8f3c1ff4b6a4cfd6328  1/lvm-1.0.3-13.1.legacy.i386.rpm
8df365a8f369ac9c4ef86f22a21ae17d63d58e51  1/lvm-1.0.3-13.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/lvm-1.0.3-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/lvm-1.0.3-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/lvm-1.0.3-12.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/lvm-1.0.3-12.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/lvm-1.0.3-13.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/lvm-1.0.3-13.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKiRALMAs/0C4zNoRAp5KAKCAMMz+4AfIVgz/qicpCgz7Kqf98gCgu8+Q
Ztq71ohAJLTGA3tCqDQPbys=
=NQyj
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-05 11:28:57 ----

Oups, pasted the wrong changelog above...should have read:

* Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 1.0.3-4.1.legacy
- Added security patch for CAN-2004-0972




------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2258 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2258
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Pekka Savola 2005-04-16 16:11:33 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHL bugzilla, and look OK

+PUBLISH RHL73,RHL9,FC1

8225c52f86a7ef93bd1b0526de6f77e387986efd  lvm-1.0.3-12.1.legacy.src.rpm
8df365a8f369ac9c4ef86f22a21ae17d63d58e51  lvm-1.0.3-13.1.legacy.src.rpm
85779c6ecce079fffd3ff98abfc73a697596849e  lvm-1.0.3-4.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCYTjcGHbTkzxSL7QRAmkjAKDNwksgq6tja7STZOP0E7uRZV5OdwCfbguj
qC19K7SUrtonD583z6jgSII=
=RJKs
-----END PGP SIGNATURE-----


Comment 2 Marc Deslauriers 2005-05-06 02:06:34 UTC
Packages were pushed to updates-testing

Comment 3 Tom Yates 2005-05-06 21:08:18 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

3f66e70eef52374a49d9ab4dc87ec1ada14dec32 lvm-1.0.3-12.1.legacy.i386.rpm

installs OK.  this is a tricky one, as although i have it installed, it's
only because mkinitrd requires it.  i don't use it.

so i can't give a wholehearted +VERIFY, for which i apologise.  but it
does install OK, and the system hasn't died horribly, so you might wish
to use this as a second verify if another, real, RH9 verify comes along.
someone let me know if this is a completely-useless report, and i won't
make any more such.

+VERIFISH RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCe9y9ePtvKV31zw4RAkT5AKCjJ0O0V1PhvbUTbfHKsz/M0BM9cgCgmYg6
8ks8HRAlNMf83r9+RHZshic=
=N2re
-----END PGP SIGNATURE-----


Comment 4 Eric Jon Rostetter 2005-07-01 21:50:01 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
Packages:
lvm-1.0.3-12.1.legacy.i386.rpm
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
I installed the update on a RHL 9 machine which uses LVM for all
filesystems except the root file system.  This machine is used daily
by me for hours per day.  Had no installation problems.
 
All worked as expected.  Saw no obvious problems or issues after a few
days of use (normal use, reboot, mkinitrd, reboot, backups via amanda+dump,
etc).  Did not verify vulnerability was fixed, just that the package works
and doesn't cause problems for me.
 
Vote for release for RHL 9. ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCxbnm4jZRbknHoPIRAjVPAKCfpfzwtcxdMrgjQe5RTOgICCHAwQCgmUnB
F3LdTWRq7AwZVr7343b5gpc=
=MB3e
-----END PGP SIGNATURE-----

Comment 5 Pekka Savola 2005-07-02 04:05:54 UTC
Verifish + verify, I'll interpret this as two verifies :)

Comment 6 Pekka Savola 2005-07-19 19:30:44 UTC
Timeout over.

Comment 7 Marc Deslauriers 2005-07-24 14:54:30 UTC
These have been officially released.