Your message dated Fri, 05 Mar 2010 19:52:51 +0000 with message-id <e1nndzr-00008v...@ries.debian.org> and subject line Bug#547011: fixed in open-iscsi 2.0.870~rc3-0.4.1 has caused the Debian Bug report #547011, regarding Insecure temporary file name in iscsi_discovery to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 547011: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547011 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: open-iscsi Severity: important Tags: security The following report was send to us by Kees Cook, this is CVE-2009-1297. There are currently more important issues scheduled for DSAs, please fix this one by preparing an update for the next stable point update. Etch is not affected. Cheers, Moritz Colin Watson reported the following bug: https://launchpad/bugs/408915 The iscsi_discovery shell script, typically run as root, contains the following code: df=/tmp/discovered.$$ dbg "starting discovery to $ip" iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df} This is a standard security vulnerability and should be replaced by use of mktemp or shell variables. The proposed patch is attached. diff -u open-iscsi-2.0.870.1/utils/iscsi_discovery open-iscsi-2.0.870.1/utils/iscsi_discovery --- open-iscsi-2.0.870.1/utils/iscsi_discovery +++ open-iscsi-2.0.870.1/utils/iscsi_discovery @@ -128,24 +128,22 @@ connected=0 discovered=0 - df=/tmp/discovered.$$ dbg "starting discovery to $ip" - iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df} - while read portal target + disc="$(iscsiadm -m discovery --type sendtargets --portal ${ip}:${port})" + echo "${disc}" | while read portal target do portal=${portal%,*} select_transport - done < ${df} + done - discovered=$(cat ${df} | wc -l) + discovered=$(echo "${disc}" | wc -l) if [ ${discovered} = 0 ]; then echo "failed to discover targets at ${ip}" exit 2 else echo "discovered ${discovered} targets at ${ip}" fi - /bin/rm -f ${df} } try_login() -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages open-iscsi depends on: ii libc6 2.9-26 GNU C Library: Shared libraries open-iscsi recommends no packages. open-iscsi suggests no packages.
--- End Message ---
--- Begin Message ---Source: open-iscsi Source-Version: 2.0.870~rc3-0.4.1 We believe that the bug you reported is fixed in the latest version of open-iscsi, which is due to be installed in the Debian FTP archive: open-iscsi_2.0.870~rc3-0.4.1.diff.gz to main/o/open-iscsi/open-iscsi_2.0.870~rc3-0.4.1.diff.gz open-iscsi_2.0.870~rc3-0.4.1.dsc to main/o/open-iscsi/open-iscsi_2.0.870~rc3-0.4.1.dsc open-iscsi_2.0.870~rc3-0.4.1_amd64.deb to main/o/open-iscsi/open-iscsi_2.0.870~rc3-0.4.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 547...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ritesh Raj Sarraf <r...@researchut.com> (supplier of updated open-iscsi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 04 Mar 2010 14:20:24 +0530 Source: open-iscsi Binary: open-iscsi Architecture: source amd64 Version: 2.0.870~rc3-0.4.1 Distribution: stable Urgency: low Maintainer: Philipp Hug <deb...@hug.cx> Changed-By: Ritesh Raj Sarraf <r...@researchut.com> Description: open-iscsi - High performance, transport independent iSCSI implementation Closes: 547011 Changes: open-iscsi (2.0.870~rc3-0.4.1) stable; urgency=low . * Fix CVE-2009-1297 (Closes: #547011) - thanks to Colin Watson for the patch Checksums-Sha1: 4d8d74235dc6ac11740fbccf1591e001e9c2c942 1771 open-iscsi_2.0.870~rc3-0.4.1.dsc 5e746bf8e45c334ca7f6d3377843a3c539211821 9547 open-iscsi_2.0.870~rc3-0.4.1.diff.gz 82db06f93ac59237010a0e08832cd7d3a4e1dc42 599844 open-iscsi_2.0.870~rc3-0.4.1_amd64.deb Checksums-Sha256: e77bc6e1d0f226cf4968c799779f2f139eea2637c09cda1c68a357694f910f3f 1771 open-iscsi_2.0.870~rc3-0.4.1.dsc ffef33589ce5c4d1c6bbfd738583afc704e151efd2fe6d491445a2edbf754f09 9547 open-iscsi_2.0.870~rc3-0.4.1.diff.gz c1008850038c9dfbc3c1fbdd2a64514d3241a7bdfefea3276ea40501d4cab790 599844 open-iscsi_2.0.870~rc3-0.4.1_amd64.deb Files: 71875da184e07dc6aed20387f468dcd5 1771 net optional open-iscsi_2.0.870~rc3-0.4.1.dsc 956fafb452dffd4dba550513aabfcddb 9547 net optional open-iscsi_2.0.870~rc3-0.4.1.diff.gz cff6a39ee79a1aacd3a4b2c553480481 599844 net optional open-iscsi_2.0.870~rc3-0.4.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJLkNUGAAoJEKY6WKPy4XVpQMkP/3szpx6zgfP7NaRBdGKqfj76 dubLttCQyl4tVJ9y7MbBC6kHAZk6l57eYLJmIJPD3p4R1S6cEtUobcGNrrEbvTnK VC8Ee1WU6ssI1LOk6ASI4K6sZI2eVkqaCP5IT0GQdyTtLBkXwmNRJB3kCSFS8zyk CDzy0xrGBye8yFxm1LWm5GadhrHPwOfpaKEicYQOnxqPEGzcG5lLjJyyqfM1BbUO nMPn5pH+XUOPO4NorzOwYBrPuInPa+y1eftQfvc/npa2J8wZqJ+0fCYRv2pGdO7m Qi+EGVPJYkF8BmAurlHUPFrQrRE7bBQF2TM+jEhYU/d2EMwQ/7xIrgmYZFKP25XT q8FyhtVK5Ro55QlomwSyZlE0dLeA/q7BDTGe1v9tFfmYv2+yy/0pSOiEa5uJEXZ+ d4w72HZW00JVv1+rM9gLUpSvfocb9DUbYaS7ErgQjNoMK+kM9nxSNhVxXWpMGHuY nLNOrMg9BfLe9nSmFasJbvdr0nLwr6uR+0QdlM31pcdjoajMRUoKWk7u6MX0PDRo sN/KsaIfK40l3KWK69UIWENTHT8t03nLBruXVb+P/CH8aWsaoI7eDWLSNLKz9Xa0 JdVNTmULKUVct5JqlmPq5b+hjtWeg5yyaYT7m/BW6UUZ/2jw/5yko6QZaH/LHVtV fdqi/cMWYL1l+uHRIHeY =s5rC -----END PGP SIGNATURE-----
--- End Message ---
