http://secunia.com/advisories/13083/ A vulnerability has been reported in LVM, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the "lvmcreate_initrd" script creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files on the system with the privileges of the user invoking the vulnerable script. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0972 Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136308 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136309 Patch: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=105434&action=view ------- Additional Comments From marcdeslauriers 2005-03-05 11:27:46 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: Changelog: * Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 0.9.6b-37.7.legacy - - add security fix for CAN-2004-0975 83d27a0bb1239ce03be764231d8f64e56f1cc5d7 7.3/lvm-1.0.3-4.1.legacy.i386.rpm 85779c6ecce079fffd3ff98abfc73a697596849e 7.3/lvm-1.0.3-4.1.legacy.src.rpm fe6521923f714921f201b6d24332caa491588dc5 9/lvm-1.0.3-12.1.legacy.i386.rpm 8225c52f86a7ef93bd1b0526de6f77e387986efd 9/lvm-1.0.3-12.1.legacy.src.rpm 78421a854e79ea73217ed8f3c1ff4b6a4cfd6328 1/lvm-1.0.3-13.1.legacy.i386.rpm 8df365a8f369ac9c4ef86f22a21ae17d63d58e51 1/lvm-1.0.3-13.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/lvm-1.0.3-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/lvm-1.0.3-4.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/lvm-1.0.3-12.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/lvm-1.0.3-12.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/lvm-1.0.3-13.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/lvm-1.0.3-13.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCKiRALMAs/0C4zNoRAp5KAKCAMMz+4AfIVgz/qicpCgz7Kqf98gCgu8+Q Ztq71ohAJLTGA3tCqDQPbys= =NQyj -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-05 11:28:57 ---- Oups, pasted the wrong changelog above...should have read: * Sat Mar 05 2005 Marc Deslauriers <marcdeslauriers> 1.0.3-4.1.legacy - Added security patch for CAN-2004-0972 ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2258 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2258 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was fedora-legacy-bugzilla-2004. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come from RHL bugzilla, and look OK +PUBLISH RHL73,RHL9,FC1 8225c52f86a7ef93bd1b0526de6f77e387986efd lvm-1.0.3-12.1.legacy.src.rpm 8df365a8f369ac9c4ef86f22a21ae17d63d58e51 lvm-1.0.3-13.1.legacy.src.rpm 85779c6ecce079fffd3ff98abfc73a697596849e lvm-1.0.3-4.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCYTjcGHbTkzxSL7QRAmkjAKDNwksgq6tja7STZOP0E7uRZV5OdwCfbguj qC19K7SUrtonD583z6jgSII= =RJKs -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 3f66e70eef52374a49d9ab4dc87ec1ada14dec32 lvm-1.0.3-12.1.legacy.i386.rpm installs OK. this is a tricky one, as although i have it installed, it's only because mkinitrd requires it. i don't use it. so i can't give a wholehearted +VERIFY, for which i apologise. but it does install OK, and the system hasn't died horribly, so you might wish to use this as a second verify if another, real, RH9 verify comes along. someone let me know if this is a completely-useless report, and i won't make any more such. +VERIFISH RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCe9y9ePtvKV31zw4RAkT5AKCjJ0O0V1PhvbUTbfHKsz/M0BM9cgCgmYg6 8ks8HRAlNMf83r9+RHZshic= =N2re -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 Packages: lvm-1.0.3-12.1.legacy.i386.rpm SHA1 checksums all match test update advisory. Signatures verify okay. I installed the update on a RHL 9 machine which uses LVM for all filesystems except the root file system. This machine is used daily by me for hours per day. Had no installation problems. All worked as expected. Saw no obvious problems or issues after a few days of use (normal use, reboot, mkinitrd, reboot, backups via amanda+dump, etc). Did not verify vulnerability was fixed, just that the package works and doesn't cause problems for me. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCxbnm4jZRbknHoPIRAjVPAKCfpfzwtcxdMrgjQe5RTOgICCHAwQCgmUnB F3LdTWRq7AwZVr7343b5gpc= =MB3e -----END PGP SIGNATURE-----
Verifish + verify, I'll interpret this as two verifies :)
Timeout over.
These have been officially released.