Bug 986773 (CVE-2013-4159)

Summary: CVE-2013-4159 ctdb: /tmp file vulnerability issues
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: chrisw, jkurik, nlevinki, sbose, security-response-team, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:00:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 989026, 989027, 1102900    
Bug Blocks: 986520, 1074598    

Description Kurt Seifried 2013-07-22 04:47:50 UTC
Kurt Seifried (kseifried) reports:

While looking at various components for Storage I ran across some tmp file issues in ctdb:

./ctdb-	const char *lock_path = "/tmp/.ctdb_socket_lock";
        const char *lock_path = "/tmp/.ctdb_socket_lock";
        struct flock lock;
        int one = 1;
        int sock_size;

        /* in order to ensure that we don't get two nodes with the                                                                                                                                              
           same adddress, we must make the bind() and listen() calls                                                                                                                                            
           atomic. The SO_REUSEADDR setsockopt only prevents double                                                                                                                                             
           binds if the first socket is in LISTEN state  */
        lock_fd = open(lock_path, O_RDWR|O_CREAT, 0666);
        if (lock_fd == -1) {
                DEBUG(DEBUG_CRIT,("Unable to open %s\n", lock_path));
                return -1;
./ctdb-		" >/tmp/ctdb.event.%s.%d", tbuf, getpid());
        sprintf(buf, "{ pstree -p; cat /proc/locks; ls -li /var/ctdb/ /var/ctdb/persistent; }"
                " >/tmp/ctdb.event.%s.%d", tbuf, getpid());
./ctdb-     tmpf=/tmp/`basename $f`.node$i
./ctdb-     tmpf=/tmp/`basename $f`.node$i
shell script, easy to exploit.
shell script, easy to exploit.
./ctdb- defaults to /tmp/ctdb.socket
./ctdb- CTDB_SOCKET=/tmp/ctdb.socket
This appears to be used unsafely later on
./ctdb- CTDB_PATH	"/tmp/ctdb.socket"
This appears to be used unsafely later on

It varies a bit in newer versions but the core problems are present.

Comment 2 Kurt Seifried 2013-08-22 19:13:30 UTC
Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=10104

Comment 3 Tomas Hoger 2014-03-10 15:28:07 UTC
(In reply to Kurt Seifried from comment #0)
> ./ctdb-
>         const char *lock_path = "/tmp/.ctdb_socket_lock";

Fixed upstream in:

> ./ctdb-
>         sprintf(buf, "{ pstree -p; cat /proc/locks; ls -li /var/ctdb/ /var/ctdb/persistent; }"
>                 " >/tmp/ctdb.event.%s.%d", tbuf, getpid());
>         system(buf);

Removed upstream and replaced by an external script:

> ========================================
> ./ctdb-
> ERRORS="/tmp/diag_err.$$"
>      tmpf=/tmp/`basename $f`.node$i
>      tmpf=/tmp/`basename $f`.node$i

Fixed upstream in:

> ./ctdb-
> BATCHFILE_PRE=/tmp/gdb_backtrace_pre.$$
> BATCHFILE_MAIN=/tmp/gdb_backtrace_main.$$

Removed upstream in:

This only exists in ctdb srpm in Red Hat Enterprise Linux 6, but the script is not shipped as part of ctdb binary packages.

> ./ctdb-
> # defaults to /tmp/ctdb.socket
> # CTDB_SOCKET=/tmp/ctdb.socket

> ./ctdb-
> #define CTDB_PATH	"/tmp/ctdb.socket"

Fixed upstream in:

Comment 7 Kurt Seifried 2014-05-29 19:14:36 UTC
Created ctdb tracking bugs for this issue:

Affects: fedora-all [bug 1102900]

Comment 10 Fedora Update System 2014-12-20 08:36:16 UTC
ctdb-2.5.4-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.