Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0115 to the following vulnerability: multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux Enterprise Server (SLES) 10 uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon. References: http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html http://download.opensuse.org/update/10.3-test/repodata/patch-kpartx-6082.xml http://secunia.com/advisories/34418
Affected component in Red Hat Enterprise Linux / Fedora is device-mapper-multipath, with both EL4 and EL5 seem to be affected by this flaw.
Created attachment 337521 [details] Patch extracted from SuSE SRPM Source: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/multipath-tools-0.4.7-80.2.src.rpm The patch does not yet seem to be applied in the upstream git: http://git.kernel.org/gitweb.cgi?p=linux/storage/multipath-tools/.git;a=tree;f=multipathd
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0411 https://rhn.redhat.com/errata/RHSA-2009-0411.html
device-mapper-multipath-0.4.7-17.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/device-mapper-multipath-0.4.7-17.fc9
device-mapper-multipath-0.4.8-9.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/device-mapper-multipath-0.4.8-9.fc10
device-mapper-multipath-0.4.8-9.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
device-mapper-multipath-0.4.7-17.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.