Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200508-05 ] Heartbeat: Insecure temporary file creation
Date: Sun, 07 Aug 2005 07:15:19
Message-Id: 200508070857.29233.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200508-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Heartbeat: Insecure temporary file creation
9 Date: August 07, 2005
10 Bugs: #97175
11 ID: 200508-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Heartbeat is vulnerable to symlink attacks, potentially allowing a
19 local user to overwrite arbitrary files.
20
21 Background
22 ==========
23
24 Heartbeat is a component of the High-Availability Linux project. It it
25 used to perform death-of-node detection, communications and cluster
26 management.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 sys-cluster/heartbeat < 1.2.3-r1 >= 1.2.3-r1
35
36 Description
37 ===========
38
39 Eric Romang has discovered that Heartbeat insecurely creates temporary
40 files with predictable filenames.
41
42 Impact
43 ======
44
45 A local attacker could create symbolic links in the temporary file
46 directory, pointing to a valid file somewhere on the filesystem. When a
47 vulnerable script is executed, this could lead to the file being
48 overwritten with the rights of the user running the affected
49 application.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Heartbeat users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=sys-cluster/heartbeat-1.2.3-r1"
63
64 References
65 ==========
66
67 [ 1 ] CAN-2005-2231
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2231
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-200508-05.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 http://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2005 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.0