severity 496410 important thanks On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote: > Package: cman > Severity: grave
> Binary-package: cman (2.20080629-1) > file: /usr/sbin/fence_egenera The broken usage is: local *egen_log; open(egen_log,">/tmp/eglog"); [...] print egen_log "shutdown: $trys $status\n"; [...] print egen_log "shutdown: crash dump being performed. Waiting\n"; [...] print egen_log "shutdown: $cmd being called, before open3\n"; [...] print egen_log "shutdown: after calling open3\n"; [...] print egen_log "shutdown: Open3 result: ", @outlines, "\n"; [...] print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn\n"; This is, of course, wrong, and subject to symlink attack. However, I don't see any way that this can be exploitable for privilege escalation, which is the standard for 'grave' severity security bugs: it doesn't allow arbitrary output to the file, only a finite set of strings which are not valid shell, cron entries, password/shadow entries, or any other config file that I know of. So at best this appears to be a DoS symlink attack; therefore downgrading. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]