Bug 599697 (CVE-2010-2061, CVE-2010-2064) - CVE-2010-2061 CVE-2010-2064 rpcbind: Insecure (predictable) temporary file use
Summary: CVE-2010-2061 CVE-2010-2064 rpcbind: Insecure (predictable) temporary file use
Status: CLOSED NOTABUG
Alias: CVE-2010-2061, CVE-2010-2064
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Steve Dickson
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: impact=important,source=debian,report...
Keywords: Security
Depends On: 599703 599705
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-03 19:00 UTC by Jan Lieskovsky
Modified: 2010-08-24 13:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-24 13:21:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-06-03 19:00:42 UTC
Guillem Jover pointed out:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583435#5

a deficiency in the way rpcbind gathered / saved registrations from / to
dumped file(s). A local attacker could use this flaw to conduct symbolic
link attacks, leading to un-authorized disclosure of sensitive information
and / or to important system files data integrity corruption.

CVE Request:
  [2] http://www.openwall.com/lists/oss-security/2010/06/03/4

Comment 1 Jan Lieskovsky 2010-06-03 19:13:06 UTC
This issue affects the versions of the rpcbind package, as shipped
with Fedora release of 11, 12, and 13.

Comment 5 Steve Dickson 2010-06-03 23:44:37 UTC
So what is the answer here... do we need to add some type encryption
or simply change where the file lives...

Comment 7 Vincent Danen 2010-06-09 04:02:52 UTC
The name CVE-2010-2061 has been assigned for the "any user can craft those two files before the daemon has started for the first time, which the daemon will parse".

The name CVE-2010-2064 has been assigned to the "symlinks are followed on creation of those files".

As noted: http://www.openwall.com/lists/oss-security/2010/06/08/3

Comment 8 Tomas Hoger 2010-08-24 13:17:28 UTC
(In reply to comment #1)
> This issue affects the versions of the rpcbind package, as shipped
> with Fedora release of 11, 12, and 13.

This issue did not affect those Fedora versions, it's quite possible Fedora was never affected, or was only affected for a short time long ago.  Looking at the Fedora rpcbind.spec, it contains:

  RPCBDIR=/var/lib/rpcbind 
  [ ... ]
      --with-statedir="$RPCBDIR" \

This changes location of those two files form default /tmp to safe /var/lib/rpcbind (directory is not group writeable).  I checked (strings on rpcbind) current and older (from F-8) builds and they use files form /var/lib/rpcbind.

Here is the patch that added support for specifying state dir location via configure, and it also add --with-statedir to .spec file:

http://pkgs.fedoraproject.org/gitweb/?p=rpcbind.git;a=commitdiff;h=5af042e80a1b86c0ca2b746a520f3a5b34be2d1d


Note You need to log in before you can comment on or make changes to this bug.