Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4579 to the following vulnerability: The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file. References: http://bugs.gentoo.org/show_bug.cgi?id=240576 http://www.openwall.com/lists/oss-security/2008/10/13/3
Issue affects fence packages in the Red Hat Cluster Suite for Red Hat Enterprise Linux 4, and cman packages in the Red Hat Enterprise Linux 5. Affected log file - /tmp/apclog - is no longer created by the current git version of apc fencing agents: http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=tree;f=fence/agents;hb=HEAD
It also affects cman packages in Fedora9 and the whole cluster-2.03 release. Backport from master will be available in the 2.03 series at the beginning of next week. The 2.99.xx releases are also affected for fence_apc_snmp for all releases prior to 2.99.07 (not affected). Fabio
rgmanager-2.03.08-1.fc9, gfs2-utils-2.03.08-1.fc9, cman-2.03.08-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1341 https://rhn.redhat.com/errata/RHSA-2009-1341.html
This issue has been addressed in following products: CLuster Suite for RHEL 4 Via RHSA-2011:0266 https://rhn.redhat.com/errata/RHSA-2011-0266.html