Bug#609304: marked as done (pimd: Insecure file creation in /var/tmp (CVE-2011-0007))

Sat, 08 Jan 2011 15:21:26 -0800 

Your message dated Sat, 08 Jan 2011 23:17:14 +0000
with message-id <e1pbi26-0005uf...@franck.debian.org>
and subject line Bug#609304: fixed in pimd 2.1.6-1
has caused the Debian Bug report #609304,
regarding pimd: Insecure file creation in /var/tmp (CVE-2011-0007)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
609304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: pimd
Version: 2.1.5-3
Severity: critical
Tags: security patch upstream
Justification: root security hole

Hi!

There is a simple security hole in pimd allowing a user to destroy any
file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump
a dump of the multicast route table. Since /var/tmp is writable by any
user, a user can create a symlink to any file he wants to destroy with
the content of the multicast routing table.

Attached is a simple patch that will instruct pimd to write the dump
to /var/lib/misc which is writable by root only and seems a valid
target according to the FHS (state files that don't need a
subdirectory).

This patch may cause tools that were sending USR1 and waiting for a
/var/tmp/pimd.dump file fail. I don't have a solution for this.

The patch also applies to /var/tmp/pimd.cache which is not implemented
yet but still creates the file when receiving USR2 signal. Despite its
name, this is also a state file, not a cache. The patch also just
drops the possibility to use /usr/tmp/pimd.dump based on some C
preprocessor conditions since I don't know if the preconditions would
work correctly on Debian/kFreeBSD.

This vulnerability was reported to Debian Security Team and has been
assigned CVE-2011-0007.

- -- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pimd depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib

pimd recommends no packages.

pimd suggests no packages.

- -- no debconf information


diff -Naur pimd-2.1.5/pathnames.h pimd-2.1.5-patched/pathnames.h
--- pimd-2.1.5/pathnames.h	2011-01-03 09:28:27.000000000 +0100
+++ pimd-2.1.5-patched/pathnames.h	2011-01-05 23:17:29.598581558 +0100
@@ -40,13 +40,7 @@
 #define __PIMD_PATHNAMES_H__
 
 #define _PATH_PIMD_CONF         "/etc/pimd.conf"
-
-#if (defined(BSD) && (BSD >= 199103)) || defined(__linux__)
-#define _PATH_PIMD_DUMP         "/var/tmp/pimd.dump"
-#define _PATH_PIMD_CACHE        "/var/tmp/pimd.cache"
-#else  /* Really old system ... */
-#define _PATH_PIMD_DUMP         "/usr/tmp/pimd.dump"
-#define _PATH_PIMD_CACHE        "/usr/tmp/pimd.cache"
-#endif
+#define _PATH_PIMD_DUMP         "/var/lib/misc/pimd.dump"
+#define _PATH_PIMD_CACHE        "/var/lib/misc/pimd.cache"
 
 #endif /* __PIMD_PATHNAMES_H__ */
diff -Naur pimd-2.1.5/pimd.8 pimd-2.1.5-patched/pimd.8
--- pimd-2.1.5/pimd.8	2011-01-03 09:28:27.000000000 +0100
+++ pimd-2.1.5-patched/pimd.8	2011-01-05 23:18:18.781100239 +0100
@@ -327,12 +327,12 @@
 The same as TERM.
 .It USR1
 Dumps the internal state of VIFs and multicast routing tables to
-.Pa /var/tmp/pimd.dump .
+.Pa /var/lib/misc/pimd.dump .
 See also the --show-routes option above.
 .\" Not implemented yet, still TODO
 .\" .It USR2
 .\" Dumps the internal cache tables to
-.\" .Pa /var/tmp/pimd.cache .
+.\" .Pa /var/lib/misc/pimd.cache .
 .\" Also not implemented yet, TODO
 .\" .It QUIT
 .\" Dumps the internal routing tables to stderr (only if
@@ -346,10 +346,10 @@
 .Pa /var/run/pimd.pid
 upon startup.
 .Sh FILES
-.Bl -tag -width /var/tmp/pimd.cache -compact
+.Bl -tag -width /var/lib/misc/pimd.cache -compact
 .It Pa /etc/pimd.conf
-.\" .It Pa /var/tmp/pimd.cache
-.It Pa /var/tmp/pimd.dump
+.\" .It Pa /var/lib/misc/pimd.cache
+.It Pa /var/lib/misc/pimd.dump
 .It Pa /var/run/pimd.pid
 .El
 .Sh SEE ALSO

--- End Message ---
--- Begin Message --- 
Source: pimd
Source-Version: 2.1.6-1

We believe that the bug you reported is fixed in the latest version of
pimd, which is due to be installed in the Debian FTP archive:

pimd_2.1.6-1.dsc
  to main/p/pimd/pimd_2.1.6-1.dsc
pimd_2.1.6-1.tar.gz
  to main/p/pimd/pimd_2.1.6-1.tar.gz
pimd_2.1.6-1_amd64.deb
  to main/p/pimd/pimd_2.1.6-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 609...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonin Kral <a.k...@sh.cvut.cz> (supplier of updated pimd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 08 Jan 2011 23:54:41 +0100
Source: pimd
Binary: pimd
Architecture: source amd64
Version: 2.1.6-1
Distribution: unstable
Urgency: low
Maintainer: Antonin Kral <a.k...@sh.cvut.cz>
Changed-By: Antonin Kral <a.k...@sh.cvut.cz>
Description: 
 pimd       - multicast routing daemon (PIMv2)
Closes: 609304
Changes: 
 pimd (2.1.6-1) unstable; urgency=low
 .
   * New upstream version changing location of dump file(s) to
     /var/lib/misc, CVE-2011-0007, Closes: Bug#609304
Checksums-Sha1: 
 3d2c0c2ba03c303166fa798a6dd1398edae9e187 697 pimd_2.1.6-1.dsc
 0e5c33443279ae4cd2ba2085796f7a7e3897c803 223704 pimd_2.1.6-1.tar.gz
 ba69de1751964311c851b1d143c8a19990dc52cf 97752 pimd_2.1.6-1_amd64.deb
Checksums-Sha256: 
 a6de441e22761d343fbcf9f9d99f44f942d505b935155e325fcddc38ef45de19 697 
pimd_2.1.6-1.dsc
 5c10c7f82f7a8867deb5576aff7a00ef6daa8875a6473d251427e0b47f83153b 223704 
pimd_2.1.6-1.tar.gz
 d4fe4fe114b59c00bca345e02f8bd5ab1caf3cda83da7904630e155e8302862c 97752 
pimd_2.1.6-1_amd64.deb
Files: 
 23a42ea68ecb41e69073ee68416b06af 697 net optional pimd_2.1.6-1.dsc
 803a685cb0977d2bbe2dc7db303e76ab 223704 net optional pimd_2.1.6-1.tar.gz
 d8ec537e99fb163935370e5c416bbd1b 97752 net optional pimd_2.1.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0o7nYACgkQluuhBRvyMFqs/wCgwCeB4CcUioJbduKem3HHy4ip
BroAn3QXcuhQDoHet1XKP3skkzeA6luF
=wDv7
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to