The cman package as shipped with Red Hat Enterprise Linux 5 and within Fedora release starting from 9 is prone to the symlink attack. Affected file: /sbin/fence_egenera Relevant part of the code: 296 sub pserver_shutdown 297 { 298 my $rtrn=1; 299 local *egen_log; 300 open(egen_log,">/tmp/eglog"); 301 for (my $trys=0; $trys<20; $trys++) 302 { 303 last if (pserver_status != 0); 304 305 306 my $status = $_; . . . Description: A malicious user could precreate a symlink, pointing to the file /tmp/eglog, Subsequent run of the '/sbin/egenera' command would destroy / truncate the target of this link to zero length. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496374 (part for cman) Affected versions: This issue affects the version of cman package, as shipped with Red Hat Enteprise Linux 5 and those, shipped within the Fedora release starting from 9. The cman package as shipped with Red Hat Enteprise Linux 4 Cluster Suite product and that one, shipped within Fedora release of 8, are not affected by this issue.
This issue also affect Red Hat Cluster Suite for Red Hat Enterprise Linux 4, affected egenera fencing agent is shipped as part of the fence package. Logging to a file in /tmp was added in following commit: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=db7da413 as part of the fix for bug #251358 / bug #233428.
FYI this bug affects also Fedora 9, the all 2.03. stable releases and the 2.99. unstable releases. A bug fix for 2.99 has been checked in a few minutes ago. Updates for 2.03 and Fedora will be produced beginning of next week. Fabio
rgmanager-2.03.08-1.fc9, gfs2-utils-2.03.08-1.fc9, cman-2.03.08-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: CLuster Suite for RHEL 4 Via RHSA-2011:0266 https://rhn.redhat.com/errata/RHSA-2011-0266.html
This was correct in RHEL5 via RHBA-2010:0266.