Hello Salvatore, I don't think we are affected by this problem.
The version of targetcli-fb in Debian are <= 2.1.49 I just checked the permissions on my test VM: root@debian-iscsi-target:~# ls -lh /etc/ | grep target drwxr-xr-x 3 root root 4.0K Jul 23 2019 rtslib-fb-target drwx------ 2 root root 4.0K Dec 29 2015 target root@debian-iscsi-target:~# ls -lh /etc/target/ total 12K -rw------- 1 root root 12K Jul 2 2016 scsi_target.lio root@debian-iscsi-target:~# ls -lh /etc/rtslib-fb-target/ total 20K drwxr-xr-x 2 root root 4.0K Jul 22 2019 backup -rw------- 1 root root 15K Jul 23 2019 saveconfig.json root@debian-iscsi-target:~# ls -lh /etc/rtslib-fb-target/backup/ total 48K -rw------- 1 root root 12K Dec 24 2018 saveconfig-20181224-02:11:32.json -rw------- 1 root root 15K Dec 24 2018 saveconfig-20181224-04:59:57.json -rw------- 1 root root 69 Jul 22 2019 saveconfig-20190722-11:29:31.json -rw------- 1 root root 15K Jul 22 2019 saveconfig-20190722-11:31:50.json And the following, after doing an immediate run. /> status Status for /: /> exit Global pref auto_save_on_exit=true Last 10 configs saved in /etc/rtslib-fb-target/backup/. Configuration saved to /etc/rtslib-fb-target/saveconfig.json root@debian-iscsi-target:~# ls -lh /etc/rtslib-fb-target/ total 20K drwxr-xr-x 2 root root 4.0K Jun 7 03:56 backup -rw------- 1 root root 15K Jun 7 03:56 saveconfig.json root@debian-iscsi-target:~# ls -lh /etc/rtslib-fb-target/backup/ total 64K -rw------- 1 root root 12K Dec 24 2018 saveconfig-20181224-02:11:32.json -rw------- 1 root root 15K Dec 24 2018 saveconfig-20181224-04:59:57.json -rw------- 1 root root 69 Jul 22 2019 saveconfig-20190722-11:29:31.json -rw------- 1 root root 15K Jul 22 2019 saveconfig-20190722-11:31:50.json -rw------- 1 root root 15K Jun 7 03:56 saveconfig-20200607-03:56:09.json On Sat, 2020-06-06 at 13:30 +0200, Salvatore Bonaccorso wrote: > Source: targetcli-fb > Version: 2.1.fb49-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/open-iscsi/targetcli-fb/pull/172 > > Hi, > > The following vulnerability was published for targetcli-fb. > > CVE-2020-13867[0]: > > Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for > > /etc/target (and for the backup directory and backup files). > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-13867 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13867 > [1] https://github.com/open-iscsi/targetcli-fb/pull/172 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
signature.asc
Description: This is a digitally signed message part
