Red Hat Bugzilla – Bug 460476
CVE-2008-4192 cman/fence: insecure temporary file usage in the egenera fence agent
Last modified: 2016-03-04 07:22:02 EST
The cman package as shipped with Red Hat Enterprise Linux 5 and within
Fedora release starting from 9 is prone to the symlink attack.
Affected file: /sbin/fence_egenera
Relevant part of the code:
296 sub pserver_shutdown
298 my $rtrn=1;
299 local *egen_log;
301 for (my $trys=0; $trys<20; $trys++)
303 last if (pserver_status != 0);
306 my $status = $_;
. . .
A malicious user could precreate a symlink, pointing to the file /tmp/eglog,
Subsequent run of the '/sbin/egenera' command would destroy / truncate the
target of this link to zero length.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374 (part for cman)
This issue affects the version of cman package, as shipped with Red Hat
Enteprise Linux 5 and those, shipped within the Fedora release starting from
The cman package as shipped with Red Hat Enteprise Linux 4 Cluster Suite
product and that one, shipped within Fedora release of 8, are not affected
by this issue.
This issue also affect Red Hat Cluster Suite for Red Hat Enterprise Linux 4, affected egenera fencing agent is shipped as part of the fence package.
Logging to a file in /tmp was added in following commit:
as part of the fix for bug #251358 / bug #233428.
FYI this bug affects also Fedora 9, the all 2.03. stable releases and the 2.99. unstable releases.
A bug fix for 2.99 has been checked in a few minutes ago.
Updates for 2.03 and Fedora will be produced beginning of next week.
rgmanager-2.03.08-1.fc9, gfs2-utils-2.03.08-1.fc9, cman-2.03.08-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
CLuster Suite for RHEL 4
Via RHSA-2011:0266 https://rhn.redhat.com/errata/RHSA-2011-0266.html
This was correct in RHEL5 via RHBA-2010:0266.