Bug 759548 (CVE-2011-4930)

Summary: CVE-2011-4930 Condor: Multiple format string flaws
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: iboverma, jneedle, matt, security-response-team, tcapek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 758212, 781346, 787804    
Bug Blocks: 747556    

Description Jan Lieskovsky 2011-12-02 16:28:55 UTC 
Multiple format string flaws were found in Condor:

a) when the XML message log format was requested in Condor submit job by remote Condor user and that user attempted to write a specially-crafted message into user log file via condor_hold tool it could lead to condor_schedd daemon crash, or, potentially arbitrary code execution with the privileges of the 'condor' user [*]. Also this way an attacker could potentially prevent other Condor jobs from being scheduled and ever executed,

b) request for file transfer by remote Condor user to transmit a file, with specially-crafted name, could lead to child process of condor_schedd daemon to crash (repeated process, where condor_schedd daemon would fork a child process to handle the request, the child to crash, while trying to handle it and condor_schedd daemon to fork another child since the particular Condor job still have not been completed successfully).

Upstream bug report (mentioning only one attack vector):
[1] https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=2660

General upstream patch (addressing among these flaws
also couple of compiler warning problems):
[2] http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=5e5571d1a431eb3c61977b6dd6ec90186ef79867

--
[*] Arbitrary code execution was possible only on systems, where Condor daemons were not compiled with FORTIFY_SOURCE protection mechanism. On systems with this protection enabled, particular flaw would lead to Condor service crash only.
Comment 1 Jan Lieskovsky 2011-12-02 16:40:53 UTC 
These issues affect the versions of the condor package, as shipped with Red Hat Enterprise MRG version 1.3 and version 2.0.

--

These issues affect the versions of the condor package, as shipped with Fedora release of 15 and 16.
Comment 6 Jan Lieskovsky 2012-01-11 14:20:14 UTC 
The CVE identifier of CVE-2011-4930 has been assigned to this issue.
Comment 13 Jan Lieskovsky 2012-01-13 12:14:50 UTC 
The preliminary embargo date for this issue has been set up to Monday, 6-th February of 2012.
Comment 14 Vincent Danen 2012-02-06 18:06:14 UTC 
This is now public.

External References:

http://research.cs.wisc.edu/condor/security/vulnerabilities/CONDOR-2012-0001.html
Comment 15 errata-xmlrpc 2012-02-06 18:18:45 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5 v. 2

Via RHSA-2012:0100 https://rhn.redhat.com/errata/RHSA-2012-0100.html
Comment 16 errata-xmlrpc 2012-02-06 18:27:09 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0099 https://rhn.redhat.com/errata/RHSA-2012-0099.html
Comment 17 Vincent Danen 2012-02-06 18:59:53 UTC 
Created condor tracking bugs for this issue

Affects: fedora-all [bug 787804]