Bug 599697 (CVE-2010-2061, CVE-2010-2064)
Summary: | CVE-2010-2061 CVE-2010-2064 rpcbind: Insecure (predictable) temporary file use | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Steve Dickson <steved> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | security-response-team, steved, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-24 13:21:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 599703, 599705 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2010-06-03 19:00:42 UTC
This issue affects the versions of the rpcbind package, as shipped with Fedora release of 11, 12, and 13. So what is the answer here... do we need to add some type encryption or simply change where the file lives... The name CVE-2010-2061 has been assigned for the "any user can craft those two files before the daemon has started for the first time, which the daemon will parse". The name CVE-2010-2064 has been assigned to the "symlinks are followed on creation of those files". As noted: http://www.openwall.com/lists/oss-security/2010/06/08/3 (In reply to comment #1) > This issue affects the versions of the rpcbind package, as shipped > with Fedora release of 11, 12, and 13. This issue did not affect those Fedora versions, it's quite possible Fedora was never affected, or was only affected for a short time long ago. Looking at the Fedora rpcbind.spec, it contains: RPCBDIR=/var/lib/rpcbind [ ... ] --with-statedir="$RPCBDIR" \ This changes location of those two files form default /tmp to safe /var/lib/rpcbind (directory is not group writeable). I checked (strings on rpcbind) current and older (from F-8) builds and they use files form /var/lib/rpcbind. Here is the patch that added support for specifying state dir location via configure, and it also add --with-statedir to .spec file: http://pkgs.fedoraproject.org/gitweb/?p=rpcbind.git;a=commitdiff;h=5af042e80a1b86c0ca2b746a520f3a5b34be2d1d |