I investigated whether just fixing the smart_ plugin would be enough of
a workaround for stable. We only have a finite amount of plugins that
can instantiate this vulnerability. Just how many do? Basically we are
interested in those plugins that run with elevated privileges and use
state files. The first restriction reduces the number of plugins to the
following set (assuming default configuration of sid):
apt courier_mta_mailqueue courier_mta_mailstats courier_mta_mailvolume
cps_ exim_mailqueue exim_mailstats fw_conntrack fw_forwarded_local
hddtemp_smartctl hddtemp2 if_ if_err_ ip_ ipmi_ mysql_ mysql_bytes
mysql_innodb mysql_isam_space_ mysql_queries mysql_slowqueries
mysql_threads postfix_mailqueue postfix_mailstats postfix_mailvolume
smart_ vlan_ vlan_inetuse_ vlan_linkuse_ ejabberd_ dhcpd3
jmx_tomcat_dbpools samba postgres_autovacuum postgres_checkpoints
postgres_locks_ postgres_querylength_ postgres_streaming_ postgres_users
postgres_bgwriter postgres_connections_ postgres_oldest_prepared_xact_
postgres_scans_ postgres_transactions_ postgres_xlog postgres_cache_
postgres_connections_db postgres_prepared_xacts_ postgres_size_
postgres_tuples_ fail2ban
Big list. Now let's look at the second condition. Surely the plugin will
somehow have to reference /var/lib/munin/plugin-state. Since plugin.sh
does not give that reference and there is no other library for writing
plugins they will somehow have to mention plugin-state (seems like a
safe bet). Filtering those files which contain plugin-state gives us
this list:
apt courier_mta_mailstats courier_mta_mailvolume mysql_isam_space_
smart_
Observations:
* It is way shorter.
* It includes smart_ (the original vulnerability), so we didn't over
prune this.
* The list contains more than smart_. :-(
Now to the individual plugins.
* apt: Well it does check whether its statefile is a symbolic link and
only if it is not opens a statefile. This is a TOCTOU race condition.
= Overwriting arbitrary files as root with non-chosen content.
Another possibility could be to hard link a root owned file you wish
to truncate. (But that only works on the same device.)
* courier_mta_mailstats and courier_mta_mailvolume are similar.
* mysql_isam_space_ does a more tricky check, but gives the same
result.
* smart_ gives you root when reading those files.
So my conclusion is that smart_ is the worst offender as there is a
ready to use exploit floating around now. Exploiting the other issues
requires more work and possibly additional issues in unrelated software.
Nevertheless just fixing smart_ is not a satisfactory solution, as it
leaves known issues behind.
Helmut
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
