Red Hat Bugzilla – Bug 493330
CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock
Last modified: 2010-05-04 13:41:04 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0115 to the following vulnerability:
multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
Enterprise Server (SLES) 10 uses world-writable permissions for the
socket file (aka /var/run/multipathd.sock), which allows local users
to send arbitrary commands to the multipath daemon.
Affected component in Red Hat Enterprise Linux / Fedora is device-mapper-multipath, with both EL4 and EL5 seem to be affected by this flaw.
Created attachment 337521 [details]
Patch extracted from SuSE SRPM
The patch does not yet seem to be applied in the upstream git:
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2009:0411 https://rhn.redhat.com/errata/RHSA-2009-0411.html
device-mapper-multipath-0.4.7-17.fc9 has been submitted as an update for Fedora 9.
device-mapper-multipath-0.4.8-9.fc10 has been submitted as an update for Fedora 10.
device-mapper-multipath-0.4.8-9.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
device-mapper-multipath-0.4.7-17.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.