Bug 599697 (CVE-2010-2061, CVE-2010-2064)

Summary: CVE-2010-2061 CVE-2010-2064 rpcbind: Insecure (predictable) temporary file use
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Steve Dickson <steved>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team, steved, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-24 13:21:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 599703, 599705    
Bug Blocks:    

Description Jan Lieskovsky 2010-06-03 19:00:42 UTC 
Guillem Jover pointed out:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435#5

a deficiency in the way rpcbind gathered / saved registrations from / to
dumped file(s). A local attacker could use this flaw to conduct symbolic
link attacks, leading to un-authorized disclosure of sensitive information
and / or to important system files data integrity corruption.

CVE Request:
  [2] http://www.openwall.com/lists/oss-security/2010/06/03/4
Comment 1 Jan Lieskovsky 2010-06-03 19:13:06 UTC 
This issue affects the versions of the rpcbind package, as shipped
with Fedora release of 11, 12, and 13.
Comment 5 Steve Dickson 2010-06-03 23:44:37 UTC 
So what is the answer here... do we need to add some type encryption
or simply change where the file lives...
Comment 7 Vincent Danen 2010-06-09 04:02:52 UTC 
The name CVE-2010-2061 has been assigned for the "any user can craft those two files before the daemon has started for the first time, which the daemon will parse".

The name CVE-2010-2064 has been assigned to the "symlinks are followed on creation of those files".

As noted: http://www.openwall.com/lists/oss-security/2010/06/08/3
Comment 8 Tomas Hoger 2010-08-24 13:17:28 UTC 
(In reply to comment #1)
> This issue affects the versions of the rpcbind package, as shipped
> with Fedora release of 11, 12, and 13.

This issue did not affect those Fedora versions, it's quite possible Fedora was never affected, or was only affected for a short time long ago.  Looking at the Fedora rpcbind.spec, it contains:

  RPCBDIR=/var/lib/rpcbind 
  [ ... ]
      --with-statedir="$RPCBDIR" \

This changes location of those two files form default /tmp to safe /var/lib/rpcbind (directory is not group writeable).  I checked (strings on rpcbind) current and older (from F-8) builds and they use files form /var/lib/rpcbind.

Here is the patch that added support for specifying state dir location via configure, and it also add --with-statedir to .spec file:

http://pkgs.fedoraproject.org/gitweb/?p=rpcbind.git;a=commitdiff;h=5af042e80a1b86c0ca2b746a520f3a5b34be2d1d