CAN-2004-0972: Insecure temporary directory

Automatically imported from Debian bug report #279229 http://bugs.debian.org/279229

Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 16:37:59 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2004-0972: Insecure temporary directory

Package: lvm10
Version: 1.0.8-7
Severity: grave
Tags: sarge, sid, patch, security

Trustix developers discovered insecure temporary file creation in a
supplemental script in the lvm10 package that didn't check for
existing temporary directories, allowing local users to overwrite
files via a symlink attack.

I'm attaching the patch we're using for the woody update.

Please let me know the version number of the fixed package. Please stick
the CVE Id from the subject to the changelog entry and upload with prio
set to high.

Regards,

 Joey

--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.

Created an attachment (id=666)
interdiff for security update 1.0.8-4ubuntu1.1

Proposed details section of USN:

Recently, Trustix Secure Linux discovered a vulnerability in a supplemental
script of the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which allowed a symlink attack to create or
overwrite arbitrary files with the privileges of the user invoking the program.

Fixed for Warty:
 lvm10 (1:1.0.8-4ubuntu1.1) warty-security; urgency=low
 .
   * SECURITY UPDATE: fix insecure temporary directory creation
   * 1.0.8/tools/lvmcreate_initrd: make program fail if mkdir of temporary
     directory ($TMPLIB) failed; earlier versions just continued to run which
     allowed symlink attacks.
   * References:
     CAN-2004-0972
     http://bugs.debian.org/279229

Fixed for Hoary in lvm10_1.0.8-7ubuntu1.

Message-ID: <email address hidden>
Date: Tue, 2 Nov 2004 17:59:49 +0000
From: Martin Michlmayr <email address hidden>
To: Martin Schulze <email address hidden>, <email address hidden>
Subject: Re: Bug#279229: CAN-2004-0972: Insecure temporary directory

* Martin Schulze <email address hidden> [2004-11-01 16:37]:
> Package: lvm10
> Version: 1.0.8-7
> Severity: grave
>
> I'm attaching the patch we're using for the woody update.

FWIW, no patch was attached.
--
Martin Michlmayr
http://www.cyrius.com/

Message-ID: <email address hidden>
Date: Tue, 2 Nov 2004 19:28:48 +0100
From: Martin Schulze <email address hidden>
To: Martin Michlmayr <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#279229: CAN-2004-0972: Insecure temporary directory

--ys8nbMVQRzTucb0g
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

Martin Michlmayr wrote:
> * Martin Schulze <email address hidden> [2004-11-01 16:37]:
> > Package: lvm10
> > Version: 1.0.8-7
> > Severity: grave
> >
> > I'm attaching the patch we're using for the woody update.
>
> FWIW, no patch was attached.

*sigh* here it is.

I should really open a grave bug against mutt for not reminding me to
add the promised attachments. *grr*

Regards,

 Joey

--
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.

--ys8nbMVQRzTucb0g
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-0972.lvm10"

diff -u lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd
--- lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd
+++ lvm10-1.0.4/1.0.4/tools/lvmcreate_initrd
@@ -237,6 +237,10 @@
 # run out of room on the ramdisk while stripping the libraries.
 echo "$cmd -- stripping shared libraries"
 mkdir $TMPLIB
+if [ $? -ne 0 ]; then
+ echo "$cmd -- ERROR making $TMPLIB"
+ cleanup 1
+fi
 for LIB in $SHLIBS; do
    verbose "copy $LIB to $TMPLIB$LIB"
    mkdir -p `dirname $TMPLIB$LIB`
diff -u lvm10-1.0.4/debian/changelog lvm10-1.0.4/debian/changelog
--- lvm10-1.0.4/debian/changelog
+++ lvm10-1.0.4/debian/changelog
@@ -1,3 +1,11 @@
+lvm10 (1:1.0.4-5woody2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied Trustix patch to correct insecure temporary directory creation
+ [1.0.4/tools/lvmcreate_initrd, CAN-2004-0972]
+
+ -- Martin Schulze <email address hidden> Sun, 31 Oct 2004 20:31:55 +0100
+
 lvm10 (1:1.0.4-5woody1) stable; urgency=medium

   * Fix bug in vgimport that could prevent volume groups with out-of-sequence

--ys8nbMVQRzTucb0g--

Message-Id: <email address hidden>
Date: Wed, 03 Nov 2004 04:47:04 -0500
From: Patrick Caulfield <email address hidden>
To: <email address hidden>
Subject: Bug#279229: fixed in lvm10 1:1.0.8-8

Source: lvm10
Source-Version: 1:1.0.8-8

We believe that the bug you reported is fixed in the latest version of
lvm10, which is due to be installed in the Debian FTP archive:

lvm10-udeb_1.0.8-8_i386.udeb
  to pool/main/l/lvm10/lvm10-udeb_1.0.8-8_i386.udeb
lvm10_1.0.8-8.diff.gz
  to pool/main/l/lvm10/lvm10_1.0.8-8.diff.gz
lvm10_1.0.8-8.dsc
  to pool/main/l/lvm10/lvm10_1.0.8-8.dsc
lvm10_1.0.8-8_i386.deb
  to pool/main/l/lvm10/lvm10_1.0.8-8_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Caulfield <email address hidden> (supplier of updated lvm10 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 3 Nov 2004 09:06:48 +0000
Source: lvm10
Binary: lvm10 lvm10-udeb
Architecture: source i386
Version: 1:1.0.8-8
Distribution: unstable
Urgency: high
Maintainer: Patrick Caulfield <email address hidden>
Changed-By: Patrick Caulfield <email address hidden>
Description:
 lvm10 - The Logical Volume Manager for Linux
 lvm10-udeb - The Logical Volume Manager for Linux (udeb)
Closes: 279229
Changes:
 lvm10 (1:1.0.8-8) unstable; urgency=high
 .
   * Applied Trustix patch to correct insecure temporary directory creation
     [1.0.4/tools/lvmcreate_initrd, CAN-2004-0972]
     Closes: #279229
Files:
 a5dbc35a8300821f5c41f1aa7887237b 574 admin optional lvm10_1.0.8-8.dsc
 e24fd20861335120f223a1c5eaed47a6 28362 admin optional lvm10_1.0.8-8.diff.gz
 420eb7812a968f5b9187b69860ce27bf 2585010 admin optional lvm10_1.0.8-8_i386.deb
 51bb36eb52f3a35ea3e24c03e88f294e 140074 debian-installer extra lvm10-udeb_1.0.8-8_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBiKMUhej7/PCycRMRAnkYAJ0c/3fw17ko7jeYMWiQSCJzltFBLQCgqfL9
GnhcDQhJFRl7QA2ACcNoMZQ=
=UKiJ
-----END PGP SIGNATURE-----