Bug 669965 - unsafe use of /tmp
unsafe use of /tmp
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: fail2ban (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Axel Thimm
Fedora Extras Quality Assurance
:
: 700769 (view as bug list)
Depends On:
Blocks: 669966
  Show dependency treegraph
 
Reported: 2011-01-16 04:46 EST by Phil Anderson
Modified: 2011-04-30 09:32 EDT (History)
3 users (show)

See Also:
Fixed In Version: fail2ban-0.8.4-27.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-18 00:03:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Phil Anderson 2011-01-16 04:46:04 EST
fail2ban insecurely uses predictable tmp files for the following actions:
dshield
mail-buffered
sendmail-buffered
mynetwatchman

While mktemp in /tmp could work for some, others are are persistent (i.e. dshield), so need a predictable path like /var/lib/fail2ban.

Note that SELinux currently allow fail2ban to work with files in /tmp.  I'll create another bug with this blocking, as the solution for this should be decided before updating the policy.

FYI, why predictable tmp files are :
http://www.linuxsecurity.com/content/view/115462/151/
Comment 1 Fedora Update System 2011-04-09 15:07:04 EDT
fail2ban-0.8.4-27.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc14
Comment 2 Fedora Update System 2011-04-09 15:07:39 EDT
fail2ban-0.8.4-27.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc13
Comment 3 Fedora Update System 2011-04-09 15:08:12 EDT
fail2ban-0.8.4-27.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc15
Comment 4 Fedora Update System 2011-04-09 21:43:55 EDT
Package fail2ban-0.8.4-27.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing fail2ban-0.8.4-27.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc15
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2011-04-18 00:02:36 EDT
fail2ban-0.8.4-27.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2011-04-25 16:50:20 EDT
fail2ban-0.8.4-27.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2011-04-25 16:55:03 EDT
fail2ban-0.8.4-27.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Axel Thimm 2011-04-30 09:32:14 EDT
*** Bug 700769 has been marked as a duplicate of this bug. ***
Comment 9 Axel Thimm 2011-04-30 09:32:29 EDT
*** Bug 700763 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.