Bug 493330 (CVE-2009-0115)

Summary: CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agk, bmarzins, bmr, christophe.varoqui, dwysocha, egoggin, heinzm, iannis, j-nomura, kreilly, k-ueda, lmb, lvm-team, mbroz, msnitzer, ovirt-maint, prockai, tranlan, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0115
Whiteboard: source=cve,reported=20090330,public=20090324,impact=moderate,cvss2=6.2/AV:L/AC:H/Au:N/C:C/I:C/A:C
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-04 13:06:52 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 493399, 493400, 493401, 493402    
Bug Blocks:    
Attachments:
Description Flags
Patch extracted from SuSE SRPM none

Description Tomas Hoger 2009-04-01 09:32:05 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0115 to the following vulnerability:

multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
Enterprise Server (SLES) 10 uses world-writable permissions for the
socket file (aka /var/run/multipathd.sock), which allows local users
to send arbitrary commands to the multipath daemon. 

References:
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
http://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xml
http://secunia.com/advisories/34418
Comment 1 Tomas Hoger 2009-04-01 09:33:28 EDT
Affected component in Red Hat Enterprise Linux / Fedora is device-mapper-multipath, with both EL4 and EL5 seem to be affected by this flaw.
Comment 2 Tomas Hoger 2009-04-01 09:36:50 EDT
Created attachment 337521 [details]
Patch extracted from SuSE SRPM

Source: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/multipath-tools-0.4.7-80.2.src.rpm

The patch does not yet seem to be applied in the upstream git:
http://git.kernel.org/gitweb.cgi?p=linux/storage/multipath-tools/.git;a=tree;f=multipathd
Comment 19 errata-xmlrpc 2009-04-07 15:04:49 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0411 https://rhn.redhat.com/errata/RHSA-2009-0411.html
Comment 20 Fedora Update System 2009-04-07 16:02:41 EDT
device-mapper-multipath-0.4.7-17.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/device-mapper-multipath-0.4.7-17.fc9
Comment 21 Fedora Update System 2009-04-07 16:02:47 EDT
device-mapper-multipath-0.4.8-9.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/device-mapper-multipath-0.4.8-9.fc10
Comment 22 Fedora Update System 2009-04-09 12:09:42 EDT
device-mapper-multipath-0.4.8-9.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2009-04-09 12:10:07 EDT
device-mapper-multipath-0.4.7-17.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.