Red Hat Bugzilla – Bug 519436
CVE-2008-6552 cman, gfs2-utils, rgmanager: multiple insecure temporary file use issues
Last modified: 2016-03-04 07:47:18 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6552 to the following vulnerability: Red Hat Cluster Project 2.x allows local users to modify or overwrite arbitrary files via symlink attacks on files in /tmp, involving unspecified components in Resource Group Manager (aka rgmanager) before 2.03.09-1, gfs2-utils before 2.03.09-1, and CMAN - The Cluster Manager before 2.03.09-1 on Fedora 9. References: http://www.redhat.com/archives/fedora-package-announce/2008-November/msg00163.html http://www.redhat.com/archives/fedora-package-announce/2008-November/msg00164.html http://www.redhat.com/archives/fedora-package-announce/2008-November/msg00165.html http://secunia.com/advisories/32602/ http://xforce.iss.net/xforce/xfdb/46412 http://www.securityfocus.com/bid/32179
Are you saying that the bug is already fixed, or that work remains to be done?
Fedora updates were pushed while ago, RHEL5 updates in 5.4 backport the fixes. rgmanager's bits apply to RHEL4, so I plan to clone this bug and propose for inclusion in 4.9 updates.
For better clarity, here is a per-component list of changes relevant to this CVE: cman: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=7a798fa3bc http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=6e8c492f8e rgmanager - daemon part: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=3f03e42f0b rgmanager - resource agents: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=18077be27b http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=5265ab0f6f http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=765f2dba9f http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=3daae0e957 http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=4cc4d59283 http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=8161a3c65a http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=d3ed649858 http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=6c4fcfc77a gfs2-utils: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=e06d163973 http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=8d69822491 http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=b75c1decdc Note: some changes as backported to RHEL5 used approach different to upstream git commits (creating temporary files properly, not yet moving files to better locations under /var), e.g.: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=5bf3964b3b http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=684b86aa70 http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=0b686fd6e0
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1337 https://rhn.redhat.com/errata/RHSA-2009-1337.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1339 https://rhn.redhat.com/errata/RHSA-2009-1339.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1341 https://rhn.redhat.com/errata/RHSA-2009-1341.html
GFS2 doesn't exist in RHEL4 and so far as I can tell, all required changes are already in RHEL5. So as far as I can tell there is nothing left to do for gfs2-utils. Please confirm if that is the case.
Yes, looking at the depending bugs, no more action needed for gfs2-utils.
This issue has been addressed in following products: CLuster Suite for RHEL 4 Via RHSA-2011:0264 https://rhn.redhat.com/errata/RHSA-2011-0264.html
This issue has been addressed in following products: CLuster Suite for RHEL 4 Via RHSA-2011:0265 https://rhn.redhat.com/errata/RHSA-2011-0265.html