Bug 599697 - (CVE-2010-2061, CVE-2010-2064) CVE-2010-2061 CVE-2010-2064 rpcbind: Insecure (predictable) temporary file use
CVE-2010-2061 CVE-2010-2064 rpcbind: Insecure (predictable) temporary file use
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Steve Dickson
http://bugs.debian.org/cgi-bin/bugrep...
impact=important,source=debian,report...
: Security
Depends On: 599703 599705
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-03 15:00 EDT by Jan Lieskovsky
Modified: 2010-08-24 09:21 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-24 09:21:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-03 15:00:42 EDT
Guillem Jover pointed out:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435#5

a deficiency in the way rpcbind gathered / saved registrations from / to
dumped file(s). A local attacker could use this flaw to conduct symbolic
link attacks, leading to un-authorized disclosure of sensitive information
and / or to important system files data integrity corruption.

CVE Request:
  [2] http://www.openwall.com/lists/oss-security/2010/06/03/4
Comment 1 Jan Lieskovsky 2010-06-03 15:13:06 EDT
This issue affects the versions of the rpcbind package, as shipped
with Fedora release of 11, 12, and 13.
Comment 5 Steve Dickson 2010-06-03 19:44:37 EDT
So what is the answer here... do we need to add some type encryption
or simply change where the file lives...
Comment 7 Vincent Danen 2010-06-09 00:02:52 EDT
The name CVE-2010-2061 has been assigned for the "any user can craft those two files before the daemon has started for the first time, which the daemon will parse".

The name CVE-2010-2064 has been assigned to the "symlinks are followed on creation of those files".

As noted: http://www.openwall.com/lists/oss-security/2010/06/08/3
Comment 8 Tomas Hoger 2010-08-24 09:17:28 EDT
(In reply to comment #1)
> This issue affects the versions of the rpcbind package, as shipped
> with Fedora release of 11, 12, and 13.

This issue did not affect those Fedora versions, it's quite possible Fedora was never affected, or was only affected for a short time long ago.  Looking at the Fedora rpcbind.spec, it contains:

  RPCBDIR=/var/lib/rpcbind 
  [ ... ]
      --with-statedir="$RPCBDIR" \

This changes location of those two files form default /tmp to safe /var/lib/rpcbind (directory is not group writeable).  I checked (strings on rpcbind) current and older (from F-8) builds and they use files form /var/lib/rpcbind.

Here is the patch that added support for specifying state dir location via configure, and it also add --with-statedir to .spec file:

http://pkgs.fedoraproject.org/gitweb/?p=rpcbind.git;a=commitdiff;h=5af042e80a1b86c0ca2b746a520f3a5b34be2d1d

Note You need to log in before you can comment on or make changes to this bug.