On 12 September 2011 19:12, Moritz Muehlenhoff <[email protected]> wrote:
> Please see http://seclists.org/oss-sec/2011/q3/429 for details.
I was aware of this issue, thanks. Just yesterday the upstream
developers fixed this bug as well as other temporary race conditions
in the code. This bug seems to happen only if running both
openvas-scanner as well as 'ovaldi' are installed and only under some
conditions (see below). This is because when openvas-server is
configured to use the OVAL tool it will store the results in a
temporary file. The main culprit is in openvasd/oval_plugins.c:
562 sc_filename = g_strconcat (folder, "sc-out.xml", NULL);
563 log_write ("SC Filename: %s\n", sc_filename);
564 results_filename = "/tmp/results.xml";
565
566 if (g_file_test (results_filename, G_FILE_TEST_EXISTS))
567 {
568 log_write ("Found existing results file in %s, deleting it to avoi
568 d conflicts.", results_filename);
569 g_unlink (results_filename);
570 }
571
572 sc_file = fopen (sc_filename, "w");
573 if (sc_file == NULL)
Although some other race conditions have been found there.
However:
- this code gets only executed if an OVAL plugin has been added to the
Openvas-server
- neither openvas-plugins-dfsg (which provides some plugins) nor
upstream (in the downloadable plugin feeds) provide any OVAL plugin
- in order for this code to work the 'ovaldi' program needs to be
installed in the same server
Consequently, the bug is not exploitable in a default installation of
openvas-server in Debian, it is only exploitable if the sysadmin has:
- installed 'ovaldi'
- configured the openvas-server to run 'unsigned' plugins
- written his own OVAL plugins and added them to the server to be executed
In any case, this has been fixed in OpenVAS' SVN, see
http://lists.wald.intevation.org/pipermail/openvas-devel/2011-September/002725.html
I will review the fix and apply (or backport it) to the openvas-server
(2.x series in unstable) and the openvas-scanner (3.x series in
experimental).
Moritz, do you believe this bug merits a DSA? Please let me know, I
can also provide compiled packages for Wheezy if needed be.
Regards
Javier
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
