Bug 886364 (CVE-2012-5635)

Summary: CVE-2012-5635 GlusterFS: insecure temporary file creation
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aavati, amarts, jrusnack, misc, rabhat, rhs-bugs, security-response-team, shaines, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130328,reported=20121211,source=redhat,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N,rhes-2.0/glusterfs=affected,fedora-all/glusterfs=affected,epel-all/glusterfs=affected,cwe=CWE-377
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Multiple insecure temporary file creation flaws were found in Red Hat Storage. A local user on the Red Hat Storage server could use these flaws to cause arbitrary files to be overwritten as the root user via a symbolic link attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-21 22:51:42 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 886365    
Bug Blocks: 886367    

Description Kurt Seifried 2012-12-12 01:35:11 EST
Following the fixing of several /tmp/ flaws in CVE-2012-4417 we have the 
remaining issues in Gluster reported by Kurt Seifried (kseifried@redhat.com):

==============
This issue was previously not reported:
This should probably use /var/run/gluster/glusterdump.%d.options

tests/volume.rc:        rm -f /tmp/glusterdump.$mount_pid.dump.* 2>/dev/null
tests/volume.rc:        fname=$(ls /tmp | grep -E "glusterdump.$mount_pid.dump.*")
tests/volume.rc:        echo /tmp/$fname
==============
 
==============
This issue was previously not reported:
This should use mktemp
Also this should use cp instead of mv so you don't lose SELinux context when 
copying the file back to /etc/samba/smb.conf which might break Samba

extras/hook-scripts/S30samba-stop.sh:        cp /etc/samba/smb.conf /tmp/smb.conf
extras/hook-scripts/S30samba-stop.sh:        sed -i "/gluster-$volname/,/^$/d" /tmp/smb.conf &&\
extras/hook-scripts/S30samba-stop.sh:                mv /tmp/smb.conf /etc/samba/smb.conf
==============

==============
This issue was previously reported:
This should use mkstemp()

libglusterfs/src/run.c:        fd = open ("/tmp/foof", O_WRONLY|O_CREAT|O_TRUNC, 0600);
==============

==============
This issue was previously reported:
This should probably use /var/run/gluster/glusterdump.%d.options

libglusterfs/src/statedump.c:/* These options are dumped by default if /tmp/glusterdump.options
libglusterfs/src/statedump.c:        /* glusterd will create a file /tmp/glusterdump.<pid>.options and
libglusterfs/src/statedump.c:           both cli command and SIGUSR1, /tmp/glusterdump.options file
libglusterfs/src/statedump.c:                  "/tmp/glusterdump.options");
libglusterfs/src/statedump.c:                          "/tmp/glusterdump.%d.options", getpid ());
libglusterfs/src/statedump.c:                   ((ctx->statedump_path != NULL)?ctx->statedump_path:"/tmp")),
==============

==============
This issue was previously reported:
This should probably use /var/run/gluster/glusterdump.%d.options

xlators/protocol/server/src/server.c:          .default_value = "/tmp",
xlators/protocol/server/src/server.c:                         " statedumps. By default it is the /tmp directory"
==============
 
==============
This issue was previously reported:
This should probably use /var/run/gluster/%s-"RB_CLIENT_MOUNTPOINT

xlators/mgmt/glusterd/src/glusterd-replace-brick.c:        snprintf (path, len, "/tmp/%s-"RB_CLIENT_MOUNTPOINT, volinfo->volname);
==============

 
==============
This issue was previously reported:
This should probably use /var/run/gluster/glusterdump.%d.options

xlators/mgmt/glusterd/src/glusterd-utils.c:                  snprintf (dumpoptions_path, sizeof (dumpoptions_path), "/tmp/glusterdump.%d.options", pid);
xlators/mgmt/glusterd/src/glusterd-utils.c:                  snprintf (dumpoptions_path, sizeof (dumpoptions_path), "/tmp/glusterdump.%d.options", pid);
==============
Comment 1 Kurt Seifried 2013-01-31 00:02:50 EST
*** Bug 894870 has been marked as a duplicate of this bug. ***
Comment 2 Kurt Seifried 2013-01-31 00:03:18 EST
*** Bug 894871 has been marked as a duplicate of this bug. ***
Comment 3 Kurt Seifried 2013-01-31 00:04:07 EST
*** Bug 894872 has been marked as a duplicate of this bug. ***
Comment 4 Murray McAllister 2013-02-13 22:45:28 EST
Acknowledgements:

These issues were discovered by Kurt Seifried of the Red Hat Security Response Team and Michael Scherer of the Red Hat Regional IT team.
Comment 6 errata-xmlrpc 2013-03-28 18:28:05 EDT
This issue has been addressed in following products:

  Red Hat Storage 2.0
  Red Hat Storage 2.0 Console
  Native Client for RHEL 5 for Red Hat Storage
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2013:0691 https://rhn.redhat.com/errata/RHSA-2013-0691.html