Bug 986773 (CVE-2013-4159)
| Summary: | CVE-2013-4159 ctdb: /tmp file vulnerability issues | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | chrisw, jkurik, nlevinki, sbose, security-response-team, ssaha, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 11:00:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 989026, 989027, 1102900 | ||
| Bug Blocks: | 986520, 1074598 | ||
Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=10104 (In reply to Kurt Seifried from comment #0) > ./ctdb-1.0.114.5/tcp/tcp_connect.c: > const char *lock_path = "/tmp/.ctdb_socket_lock"; Fixed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=b9b9f6738fba5c32e87cb9c36b358355b444fb9b > ./ctdb-1.0.114.5/server/eventscript.c: > sprintf(buf, "{ pstree -p; cat /proc/locks; ls -li /var/ctdb/ /var/ctdb/persistent; }" > " >/tmp/ctdb.event.%s.%d", tbuf, getpid()); > system(buf); Removed upstream and replaced by an external script: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=6e68797af67bee36f2bad045f94806e7e98f27e9 > ======================================== > ./ctdb-1.0.114.5/tools/ctdb_diagnostics: > ERRORS="/tmp/diag_err.$$" > tmpf=/tmp/`basename $f`.node$i > tmpf=/tmp/`basename $f`.node$i Fixed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=406e1cb1fdd17ddd239774d0228e3657b73ae68f > ./ctdb-1.0.114.5/config/gdb_backtrace: > BATCHFILE_PRE=/tmp/gdb_backtrace_pre.$$ > BATCHFILE_MAIN=/tmp/gdb_backtrace_main.$$ Removed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=4b914d7e217202f3d11a8e95f9f74bc17869475b This only exists in ctdb srpm in Red Hat Enterprise Linux 6, but the script is not shipped as part of ctdb binary packages. > ./ctdb-1.0.114.5/config/ctdb.sysconfig: > # defaults to /tmp/ctdb.socket > # CTDB_SOCKET=/tmp/ctdb.socket > ./ctdb-1.0.114.5/include/ctdb_private.h: > #define CTDB_PATH "/tmp/ctdb.socket" Fixed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=dc67a4e24af9d07aead2a1710eeaf5d6cc409201 Created ctdb tracking bugs for this issue: Affects: fedora-all [bug 1102900] ctdb-2.5.4-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |
Kurt Seifried (kseifried) reports: While looking at various components for Storage I ran across some tmp file issues in ctdb: ======================================== ./ctdb-1.0.114.5/tcp/tcp_connect.c: const char *lock_path = "/tmp/.ctdb_socket_lock"; const char *lock_path = "/tmp/.ctdb_socket_lock"; struct flock lock; int one = 1; int sock_size; /* in order to ensure that we don't get two nodes with the same adddress, we must make the bind() and listen() calls atomic. The SO_REUSEADDR setsockopt only prevents double binds if the first socket is in LISTEN state */ lock_fd = open(lock_path, O_RDWR|O_CREAT, 0666); if (lock_fd == -1) { DEBUG(DEBUG_CRIT,("Unable to open %s\n", lock_path)); return -1; } ======================================== ./ctdb-1.0.114.5/server/eventscript.c: " >/tmp/ctdb.event.%s.%d", tbuf, getpid()); sprintf(buf, "{ pstree -p; cat /proc/locks; ls -li /var/ctdb/ /var/ctdb/persistent; }" " >/tmp/ctdb.event.%s.%d", tbuf, getpid()); system(buf); ======================================== ./ctdb-1.0.114.5/tools/ctdb_diagnostics:ERRORS="/tmp/diag_err.$$" ./ctdb-1.0.114.5/tools/ctdb_diagnostics: tmpf=/tmp/`basename $f`.node$i ./ctdb-1.0.114.5/tools/ctdb_diagnostics: tmpf=/tmp/`basename $f`.node$i shell script, easy to exploit. ======================================== ./ctdb-1.0.114.5/config/gdb_backtrace:BATCHFILE_PRE=/tmp/gdb_backtrace_pre.$$ ./ctdb-1.0.114.5/config/gdb_backtrace:BATCHFILE_MAIN=/tmp/gdb_backtrace_main.$$ shell script, easy to exploit. ======================================== ./ctdb-1.0.114.5/config/ctdb.sysconfig:# defaults to /tmp/ctdb.socket ./ctdb-1.0.114.5/config/ctdb.sysconfig:# CTDB_SOCKET=/tmp/ctdb.socket This appears to be used unsafely later on ======================================== ./ctdb-1.0.114.5/include/ctdb_private.h:#define CTDB_PATH "/tmp/ctdb.socket" This appears to be used unsafely later on ======================================== It varies a bit in newer versions but the core problems are present.