Package: librrd8
Version: 1.7.0-1+b1
Severity: important

I installed collectd-core on my system and noticed that it created directories
and rrd files with strange and insecure permissions such as 0777 and 0177.  A
bit of detective work later I managed to track the problem down to this issue
in rrdtool:

  https://github.com/oetiker/rrdtool-1.x/issues/794

To summarize, librrd uses umask to affect the permissions of created files.
It first obtains the current umask so that it can restore it.  However umask
is global to the process and collectd performs rrd operations in multiple
threads.  It may happen that another thread obtains the modified umask as the
original value and restores the incorrect value after doing its thing.  Worse,
the version currently in Debian contains this call:

  saved_umask = umask(S_IRUSR|S_IWUSR);

This sets the umask to 0600, apparently in an attempt to protect files from
users other than the owner.  However the auther failed to realize that umask
is a negation of the allowed bits, so this actually exposes created files to
everyone!  The problematic call appeared in June 2016:

  https://github.com/oetiker/rrdtool-1.x/commit/cd139a8

A year later the author realized his mistake and first corrected the umask
bits:

  https://github.com/oetiker/rrdtool-1.x/commit/e1bddaf

And then removed the umask calls entirely:

  https://github.com/oetiker/rrdtool-1.x/commit/f1edd12

However there has not been a new version since then and the latest released
version (1.7.0, from May 2017) remains vulnerable.

Please pick up the fix for Debian.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.24-core2-server (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages librrd8 depends on:
ii  libc6                2.27-3
ii  libcairo2            1.15.10-3
ii  libdbi1              0.9.0-5
ii  libglib2.0-0         2.56.1-2
ii  libpango-1.0-0       1.42.1-1
ii  libpangocairo-1.0-0  1.42.1-1
ii  libpng16-16          1.6.34-1
ii  libxml2              2.9.4+dfsg1-6.1

Versions of packages librrd8 recommends:
ii  fonts-dejavu-core   2.37-1
ii  ttf-bitstream-vera  1.10-8

librrd8 suggests no packages.

-- no debconf information

Reply via email to