Following the fixing of several /tmp/ flaws in CVE-2012-4417 we have the remaining issues in Gluster reported by Kurt Seifried (kseifried): ============== This issue was previously not reported: This should probably use /var/run/gluster/glusterdump.%d.options tests/volume.rc: rm -f /tmp/glusterdump.$mount_pid.dump.* 2>/dev/null tests/volume.rc: fname=$(ls /tmp | grep -E "glusterdump.$mount_pid.dump.*") tests/volume.rc: echo /tmp/$fname ============== ============== This issue was previously not reported: This should use mktemp Also this should use cp instead of mv so you don't lose SELinux context when copying the file back to /etc/samba/smb.conf which might break Samba extras/hook-scripts/S30samba-stop.sh: cp /etc/samba/smb.conf /tmp/smb.conf extras/hook-scripts/S30samba-stop.sh: sed -i "/gluster-$volname/,/^$/d" /tmp/smb.conf &&\ extras/hook-scripts/S30samba-stop.sh: mv /tmp/smb.conf /etc/samba/smb.conf ============== ============== This issue was previously reported: This should use mkstemp() libglusterfs/src/run.c: fd = open ("/tmp/foof", O_WRONLY|O_CREAT|O_TRUNC, 0600); ============== ============== This issue was previously reported: This should probably use /var/run/gluster/glusterdump.%d.options libglusterfs/src/statedump.c:/* These options are dumped by default if /tmp/glusterdump.options libglusterfs/src/statedump.c: /* glusterd will create a file /tmp/glusterdump.<pid>.options and libglusterfs/src/statedump.c: both cli command and SIGUSR1, /tmp/glusterdump.options file libglusterfs/src/statedump.c: "/tmp/glusterdump.options"); libglusterfs/src/statedump.c: "/tmp/glusterdump.%d.options", getpid ()); libglusterfs/src/statedump.c: ((ctx->statedump_path != NULL)?ctx->statedump_path:"/tmp")), ============== ============== This issue was previously reported: This should probably use /var/run/gluster/glusterdump.%d.options xlators/protocol/server/src/server.c: .default_value = "/tmp", xlators/protocol/server/src/server.c: " statedumps. By default it is the /tmp directory" ============== ============== This issue was previously reported: This should probably use /var/run/gluster/%s-"RB_CLIENT_MOUNTPOINT xlators/mgmt/glusterd/src/glusterd-replace-brick.c: snprintf (path, len, "/tmp/%s-"RB_CLIENT_MOUNTPOINT, volinfo->volname); ============== ============== This issue was previously reported: This should probably use /var/run/gluster/glusterdump.%d.options xlators/mgmt/glusterd/src/glusterd-utils.c: snprintf (dumpoptions_path, sizeof (dumpoptions_path), "/tmp/glusterdump.%d.options", pid); xlators/mgmt/glusterd/src/glusterd-utils.c: snprintf (dumpoptions_path, sizeof (dumpoptions_path), "/tmp/glusterdump.%d.options", pid); ==============
*** Bug 894870 has been marked as a duplicate of this bug. ***
*** Bug 894871 has been marked as a duplicate of this bug. ***
*** Bug 894872 has been marked as a duplicate of this bug. ***
Acknowledgements: These issues were discovered by Kurt Seifried of the Red Hat Security Response Team and Michael Scherer of the Red Hat Regional IT team.
This issue has been addressed in following products: Red Hat Storage 2.0 Red Hat Storage 2.0 Console Native Client for RHEL 5 for Red Hat Storage Native Client for RHEL 6 for Red Hat Storage Via RHSA-2013:0691 https://rhn.redhat.com/errata/RHSA-2013-0691.html