Bug 13455

Summary: ctdb new security issue CVE-2013-4159
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bgmilne, mageia, rwobben, shlomif, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/603506/
Whiteboard: MGA3TOO advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: ctdb-1.2.46-3.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-05-30 16:11:59 CEST 
A CVE was issued for /tmp-file security issues fixed in ctdb 2.5:
http://openwall.com/lists/oss-security/2014/05/29/12

There are also links to upstream commits to fix these issues in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=986773#c3

There are kernel protections against this type of issue in Mageia 4, but we should probably fix this for Mageia 3 at least.  For Cauldron, it should be updated to 2.5.3.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 16:12:20 CEST

CC: (none) => bgmilne, mageia
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 roelof Wobben 2014-06-03 08:58:18 CEST 
I will take this one.
One question : If I understand you right I have to update to 2.5.3 and apply the patch for M3 and Cauldron. 

Roelof

CC: (none) => rwobben

Comment 2 David Walser 2014-06-07 19:29:35 CEST 
ctdb-2.5.3-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Walser 2014-06-13 22:26:05 CEST 
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated ctdb packages fix security vulnerability:

ctdb before 2.5 is vulnerable to symlink attacks to due the use of predictable
filenames in /tmp, such as /tmp/ctdb.socket (CVE-2013-4159).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4159
https://bugzilla.redhat.com/show_bug.cgi?id=986773
========================

Updated packages in core/updates_testing:
========================
ctdb-1.2.46-3.1.mga3
ctdb-devel-1.2.46-3.1.mga3
ctdb-1.2.46-4.1.mga4
ctdb-devel-1.2.46-4.1.mga4

from SRPMS:
ctdb-1.2.46-3.1.mga3.src.rpm
ctdb-1.2.46-4.1.mga4.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 4 David Walser 2014-06-19 20:35:45 CEST 
CTDB looks to be very complicated to set up, to say the least:
https://ctdb.samba.org/
Comment 5 David Walser 2014-06-25 15:14:43 CEST 
OpenSuSE has issued an advisory for this today (June 25):
http://lists.opensuse.org/opensuse-updates/2014-06/msg00052.html
Comment 6 claire robinson 2014-06-25 16:24:32 CEST 
Testing complete mga4 64

OpenSuSE bugs are still embargoed.

This really needs some kind of dedicated cluster to test properly and, by the looks of it, several days to experiment. As we have neither, just testing the update installs cleanly, which it does.

Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 7 claire robinson 2014-06-25 17:01:09 CEST 
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-64-ok

Comment 8 claire robinson 2014-06-25 17:12:27 CEST 
Testing complete mga4 32

Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

David Walser 2014-06-25 18:31:45 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603506/

Comment 9 claire robinson 2014-06-25 19:16:06 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-06-27 17:25:15 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0274.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED