Your message dated Wed, 12 Jan 2011 22:00:08 +0000
with message-id <20110112220008.gc27...@lupin.powdarrmonkey.net>
and subject line t-p-u fix for pimd CVE-2011-0007
has caused the Debian Bug report #609304,
regarding pimd: Insecure file creation in /var/tmp (CVE-2011-0007)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
609304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pimd
Version: 2.1.5-3
Severity: critical
Tags: security patch upstream
Justification: root security hole
Hi!
There is a simple security hole in pimd allowing a user to destroy any
file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump
a dump of the multicast route table. Since /var/tmp is writable by any
user, a user can create a symlink to any file he wants to destroy with
the content of the multicast routing table.
Attached is a simple patch that will instruct pimd to write the dump
to /var/lib/misc which is writable by root only and seems a valid
target according to the FHS (state files that don't need a
subdirectory).
This patch may cause tools that were sending USR1 and waiting for a
/var/tmp/pimd.dump file fail. I don't have a solution for this.
The patch also applies to /var/tmp/pimd.cache which is not implemented
yet but still creates the file when receiving USR2 signal. Despite its
name, this is also a state file, not a cache. The patch also just
drops the possibility to use /usr/tmp/pimd.dump based on some C
preprocessor conditions since I don't know if the preconditions would
work correctly on Debian/kFreeBSD.
This vulnerability was reported to Debian Security Team and has been
assigned CVE-2011-0007.
- -- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.36-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pimd depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
pimd recommends no packages.
pimd suggests no packages.
- -- no debconf information
diff -Naur pimd-2.1.5/pathnames.h pimd-2.1.5-patched/pathnames.h
--- pimd-2.1.5/pathnames.h 2011-01-03 09:28:27.000000000 +0100
+++ pimd-2.1.5-patched/pathnames.h 2011-01-05 23:17:29.598581558 +0100
@@ -40,13 +40,7 @@
#define __PIMD_PATHNAMES_H__
#define _PATH_PIMD_CONF "/etc/pimd.conf"
-
-#if (defined(BSD) && (BSD >= 199103)) || defined(__linux__)
-#define _PATH_PIMD_DUMP "/var/tmp/pimd.dump"
-#define _PATH_PIMD_CACHE "/var/tmp/pimd.cache"
-#else /* Really old system ... */
-#define _PATH_PIMD_DUMP "/usr/tmp/pimd.dump"
-#define _PATH_PIMD_CACHE "/usr/tmp/pimd.cache"
-#endif
+#define _PATH_PIMD_DUMP "/var/lib/misc/pimd.dump"
+#define _PATH_PIMD_CACHE "/var/lib/misc/pimd.cache"
#endif /* __PIMD_PATHNAMES_H__ */
diff -Naur pimd-2.1.5/pimd.8 pimd-2.1.5-patched/pimd.8
--- pimd-2.1.5/pimd.8 2011-01-03 09:28:27.000000000 +0100
+++ pimd-2.1.5-patched/pimd.8 2011-01-05 23:18:18.781100239 +0100
@@ -327,12 +327,12 @@
The same as TERM.
.It USR1
Dumps the internal state of VIFs and multicast routing tables to
-.Pa /var/tmp/pimd.dump .
+.Pa /var/lib/misc/pimd.dump .
See also the --show-routes option above.
.\" Not implemented yet, still TODO
.\" .It USR2
.\" Dumps the internal cache tables to
-.\" .Pa /var/tmp/pimd.cache .
+.\" .Pa /var/lib/misc/pimd.cache .
.\" Also not implemented yet, TODO
.\" .It QUIT
.\" Dumps the internal routing tables to stderr (only if
@@ -346,10 +346,10 @@
.Pa /var/run/pimd.pid
upon startup.
.Sh FILES
-.Bl -tag -width /var/tmp/pimd.cache -compact
+.Bl -tag -width /var/lib/misc/pimd.cache -compact
.It Pa /etc/pimd.conf
-.\" .It Pa /var/tmp/pimd.cache
-.It Pa /var/tmp/pimd.dump
+.\" .It Pa /var/lib/misc/pimd.cache
+.It Pa /var/lib/misc/pimd.dump
.It Pa /var/run/pimd.pid
.El
.Sh SEE ALSO
--- End Message ---
--- Begin Message ---
Version: 2.1.1-1.1
A fix for Squeeze is pending in testing-proposed-updates.
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
signature.asc
Description: Digital signature
--- End Message ---
