Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200411-22 ] Davfs2, lvm-user: Insecure tempfile handling
Date: Thu, 11 Nov 2004 21:23:19
Message-Id: 200411112217.06747.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200411-22
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Davfs2, lvm-user: Insecure tempfile handling
9 Date: November 11, 2004
10 Bugs: #68406, #69149
11 ID: 200411-22
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Davfs2 and the lvmcreate_initrd script (included in the lvm-user
19 package) are both vulnerable to symlink attacks, potentially allowing
20 a local user to overwrite arbitrary files with the rights of the user
21 running them.
22
23 Background
24 ==========
25
26 Davfs2 is a file system driver that allows you to mount a WebDAV server
27 as a local disk drive. lvm-user is a package providing userland
28 utilities for LVM (Logical Volume Management) 1.x features.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 net-fs/davfs2 < 0.2.2-r1 >= 0.2.2-r1
37 2 sys-fs/lvm-user < 1.0.7-r2 >= 1.0.7-r2
38 -------------------------------------------------------------------
39 2 affected packages on all of their supported architectures.
40 -------------------------------------------------------------------
41
42 Description
43 ===========
44
45 Florian Schilhabel from the Gentoo Linux Security Audit Team found that
46 Davfs2 insecurely created .pid files in /tmp. Furthermore, Trustix
47 Secure Linux found that the lvmcreate_initrd script, included in the
48 lvm-user Gentoo package, also creates temporary files in
49 world-writeable directories with predictable names.
50
51 Impact
52 ======
53
54 A local attacker could create symbolic links in the temporary files
55 directory, pointing to a valid file somewhere on the filesystem. When
56 Davfs2 or lvmcreate_initrd is called, this would result in the file
57 being overwritten with the rights of the user running the software,
58 which could be the root user.
59
60 Workaround
61 ==========
62
63 There is no known workaround at this time.
64
65 Resolution
66 ==========
67
68 All Davfs2 users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=net-fs/davfs2-0.2.2-r1"
72
73 All lvm-user users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose ">=sys-fs/lvm-user-1.0.7-r2"
77
78 References
79 ==========
80
81 [ 1 ] CAN-2004-0972
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0972
83
84 Availability
85 ============
86
87 This GLSA and any updates to it are available for viewing at
88 the Gentoo Security Website:
89
90 http://security.gentoo.org/glsa/glsa-200411-22.xml
91
92 Concerns?
93 =========
94
95 Security is a primary focus of Gentoo Linux and ensuring the
96 confidentiality and security of our users machines is of utmost
97 importance to us. Any security concerns should be addressed to
98 security@g.o or alternatively, you may file a bug at
99 http://bugs.gentoo.org.
100
101 License
102 =======
103
104 Copyright 2004 Gentoo Foundation, Inc; referenced text
105 belongs to its owner(s).
106
107 The contents of this document are licensed under the
108 Creative Commons - Attribution / Share Alike license.
109
110 http://creativecommons.org/licenses/by-sa/2.0