|Summary:||CVE-2011-4930 Condor: Multiple format string flaws|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||iboverma, jneedle, matt, security-response-team, tcapek|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||758212, 781346, 787804|
Description Jan Lieskovsky 2011-12-02 16:28:55 UTC
Multiple format string flaws were found in Condor: a) when the XML message log format was requested in Condor submit job by remote Condor user and that user attempted to write a specially-crafted message into user log file via condor_hold tool it could lead to condor_schedd daemon crash, or, potentially arbitrary code execution with the privileges of the 'condor' user [*]. Also this way an attacker could potentially prevent other Condor jobs from being scheduled and ever executed, b) request for file transfer by remote Condor user to transmit a file, with specially-crafted name, could lead to child process of condor_schedd daemon to crash (repeated process, where condor_schedd daemon would fork a child process to handle the request, the child to crash, while trying to handle it and condor_schedd daemon to fork another child since the particular Condor job still have not been completed successfully). Upstream bug report (mentioning only one attack vector):  https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=2660 General upstream patch (addressing among these flaws also couple of compiler warning problems):  http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=5e5571d1a431eb3c61977b6dd6ec90186ef79867 -- [*] Arbitrary code execution was possible only on systems, where Condor daemons were not compiled with FORTIFY_SOURCE protection mechanism. On systems with this protection enabled, particular flaw would lead to Condor service crash only.
Comment 1 Jan Lieskovsky 2011-12-02 16:40:53 UTC
These issues affect the versions of the condor package, as shipped with Red Hat Enterprise MRG version 1.3 and version 2.0. -- These issues affect the versions of the condor package, as shipped with Fedora release of 15 and 16.
Comment 6 Jan Lieskovsky 2012-01-11 14:20:14 UTC
The CVE identifier of CVE-2011-4930 has been assigned to this issue.
Comment 13 Jan Lieskovsky 2012-01-13 12:14:50 UTC
The preliminary embargo date for this issue has been set up to Monday, 6-th February of 2012.
Comment 14 Vincent Danen 2012-02-06 18:06:14 UTC
This is now public. External References: http://research.cs.wisc.edu/condor/security/vulnerabilities/CONDOR-2012-0001.html
Comment 15 errata-xmlrpc 2012-02-06 18:18:45 UTC
This issue has been addressed in following products: MRG for RHEL-5 v. 2 Via RHSA-2012:0100 https://rhn.redhat.com/errata/RHSA-2012-0100.html
Comment 16 errata-xmlrpc 2012-02-06 18:27:09 UTC
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0099 https://rhn.redhat.com/errata/RHSA-2012-0099.html