Bug 7470 - bacula - Improper ACL rules enforcement by dumping resources (CVE-2012-4430)
: bacula - Improper ACL rules enforcement by dumping resources (CVE-2012-4430)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/518925/
: MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-13 09:25 CEST by Oden Eriksson
Modified: 2012-11-06 20:22 CET (History)
4 users (show)

See Also:
Source RPM: bacula
CVE:


Attachments

Description Oden Eriksson 2012-09-13 09:25:59 CEST
Bacula 5.2.11 was released with this in the changelog:

- Make dump_resource respect console ACL's (security fix)

I'm not sure what the impact is here. Here's the fix:

http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905
Comment 1 David Walser 2012-09-25 22:46:38 CEST
In fact, that's not the only security issue fixed in Bacula since the version we have in Mageia 1 and 2.

I looked at the changelogs and found a few others, and added patches for them in Cauldron (but they were removed when Oden updated it to the newest version).

Here is the revision where those were added:
http://svnweb.mageia.org/packages?view=revision&revision=293377

The only other security issue in bacula I missed was this one:

- Additional security against injection of illegal characters

from looks like the 5.2.1 changelog or maybe 5.2.0:
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes

should be in 2010-2011 range pre-5.2.1:
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog

GIT is here:
http://www.bacula.org/git/cgit.cgi/bacula/log/

Probably upstream would need to be asked to track down which GIT commits correspond to that fix.

I doubt any of these are major issues, and IIRC, the only one that any distro vendors issued an update for was the autochanger tmpfiles one, which was very minor.
Comment 2 David Walser 2012-09-25 22:47:25 CEST
In other words, if any major security issue is ever fixed in Bacula, mandating an update for Mageia 1 and/or Mageia 2, it would be nice to include the patches mentioned above as well.
Comment 3 Manuel Hiebel 2012-09-25 23:02:19 CEST
(only two commiters anne and ahmad so a real unmaintened package)
Comment 4 David Walser 2012-09-25 23:20:39 CEST
(In reply to comment #3)
> (only two commiters anne and ahmad so a real unmaintened package)

Yes, as a matter of fact it hasn't been touched for a long time in Cooker either, so it's *really* unmaintained.  Fortunately, Oden has updated it in Cauldron.
Comment 5 Oden Eriksson 2012-09-26 08:21:39 CEST
This was assigned CVE-2012-4430 as per:

http://www.openwall.com/lists/oss-security/2012/09/15/2

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=857955
Comment 6 David Walser 2012-09-28 20:58:12 CEST
I asked the upstream author about the "injection of illegal characters fix" and here's the response I got:

"Well, this wasn't really a security problem as such, we just tightened up
the coding.  The change is that the user (with ACLs if desired) can issue
SQL commands within bconsole.  Presumably he is already a trusted user or he
wouldn't be permitted to issue them.  However, we improved the coding to
filter out what we consider "illegal" characters that the user might enter
as an SQL command.

To find the commit, probably the easiest way is to use gitk and search
against the string above or the words "security" or "sql".  Unfortunately,
I don't have the time to do this myself.  If it is logged in the ChangeLog,
then the exact date will appear above the line, and you can easily find all
commits that were made on that day."

I looked through the ChangeLog for SQL changes and couldn't find anything that looked relevant, but it sounds like it's not that important, so I'm not going to worry about it.

In other news....

Here's a reference for the autochanger tmpfiles issue, CVE-2008-5373:
http://lwn.net/Vulnerabilities/508809/

I have checked the fixes into Mageia 1 and Mageia 2 SVN, but haven't pushed to the build system.  These appear to all be very low-impact security issues.

Oden, do you want to push this out now?

Here's an advisory if we do.

Advisory:
========================

Updated bacula packages fix security vulnerabilities:

Some of the mtx-changer example autochangers in bacula before 5.2.1 could
allow local users to overwrite any local file via a symlink attack, due to
insecure temp file naming (CVE-2008-5373).

An information leak flaw was found in the way Bacula before 5.2.11 enforced
access control list (ACL) rules prior providing information about a
particular resource. A remote attacker could use this flaw to obtain
(possibly sensitive) information (CVE-2012-4430).

Additionally, two other security-related fixes from upstream have been
included.  One is a fix for a possible fnmatch problem, and the other adds
rate limiting of bad connections.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html
https://bugzilla.redhat.com/show_bug.cgi?id=857955
Comment 7 David Walser 2012-10-09 13:29:58 CEST
Debian has issued an advisory for this on October 8:
http://www.debian.org/security/2012/dsa-2558
Comment 9 Oden Eriksson 2012-10-09 14:20:54 CEST
Please try again (r303909)
Comment 11 David Walser 2012-10-09 18:20:28 CEST
Thanks Oden.  Patched packages for Mageia 1 and Mageia 2 uploaded.

Advisory:
========================

Updated bacula packages fix security vulnerabilities:

Some of the mtx-changer example autochangers in bacula before 5.2.1 could
allow local users to overwrite any local file via a symlink attack, due to
insecure temp file naming (CVE-2008-5373).

An information leak flaw was found in the way Bacula before 5.2.11 enforced
access control list (ACL) rules prior providing information about a
particular resource. A remote attacker could use this flaw to obtain
(possibly sensitive) information (CVE-2012-4430).

Additionally, two other security-related fixes from upstream have been
included.  One is a fix for a possible fnmatch problem, and the other adds
rate limiting of bad connections.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html
https://bugzilla.redhat.com/show_bug.cgi?id=857955
http://www.debian.org/security/2012/dsa-2558
========================

Updated packages in core/updates_testing:
========================
libbacula-5.0.3-2.1.mga1
bacula-common-5.0.3-2.1.mga1
bacula-dir-common-5.0.3-2.1.mga1
bacula-dir-mysql-5.0.3-2.1.mga1
bacula-dir-pgsql-5.0.3-2.1.mga1
bacula-dir-sqlite3-5.0.3-2.1.mga1
bacula-console-5.0.3-2.1.mga1
bacula-console-wx-5.0.3-2.1.mga1
bacula-bat-5.0.3-2.1.mga1
bacula-fd-5.0.3-2.1.mga1
bacula-sd-5.0.3-2.1.mga1
bacula-gui-web-5.0.3-2.1.mga1
bacula-gui-bimagemgr-5.0.3-2.1.mga1
bacula-gui-brestore-5.0.3-2.1.mga1
bacula-tray-monitor-5.0.3-2.1.mga1
libbacula-5.0.3-2.1.mga2
bacula-common-5.0.3-2.1.mga2
bacula-dir-common-5.0.3-2.1.mga2
bacula-dir-mysql-5.0.3-2.1.mga2
bacula-dir-pgsql-5.0.3-2.1.mga2
bacula-dir-sqlite3-5.0.3-2.1.mga2
bacula-console-5.0.3-2.1.mga2
bacula-console-wx-5.0.3-2.1.mga2
bacula-bat-5.0.3-2.1.mga1
bacula-fd-5.0.3-2.1.mga1
bacula-sd-5.0.3-2.1.mga1
bacula-gui-web-5.0.3-2.1.mga1
bacula-gui-bimagemgr-5.0.3-2.1.mga1
bacula-gui-brestore-5.0.3-2.1.mga1
bacula-tray-monitor-5.0.3-2.1.mga1
libbacula-5.0.3-2.1.mga2
bacula-common-5.0.3-2.1.mga2
bacula-dir-common-5.0.3-2.1.mga2
bacula-dir-mysql-5.0.3-2.1.mga2
bacula-dir-pgsql-5.0.3-2.1.mga2
bacula-dir-sqlite3-5.0.3-2.1.mga2
bacula-console-5.0.3-2.1.mga2
bacula-console-wx-5.0.3-2.1.mga2
bacula-bat-5.0.3-2.1.mga2
bacula-fd-5.0.3-2.1.mga2
bacula-sd-5.0.3-2.1.mga2
bacula-gui-web-5.0.3-2.1.mga2
bacula-gui-bimagemgr-5.0.3-2.1.mga2
bacula-gui-brestore-5.0.3-2.1.mga2
bacula-tray-monitor-5.0.3-2.1.mga2

from SRPMS:
bacula-5.0.3-2.1.mga1.src.rpm
bacula-5.0.3-2.1.mga2.src.rpm
Comment 12 claire robinson 2012-10-30 13:30:26 CET
Just removing some duplicates in the rpm list

bacula-bat-5.0.3-2.1.mga1
bacula-common-5.0.3-2.1.mga1
bacula-console-5.0.3-2.1.mga1
bacula-console-wx-5.0.3-2.1.mga1
bacula-dir-common-5.0.3-2.1.mga1
bacula-dir-mysql-5.0.3-2.1.mga1
bacula-dir-pgsql-5.0.3-2.1.mga1
bacula-dir-sqlite3-5.0.3-2.1.mga1
bacula-fd-5.0.3-2.1.mga1
bacula-gui-bimagemgr-5.0.3-2.1.mga1
bacula-gui-brestore-5.0.3-2.1.mga1
bacula-gui-web-5.0.3-2.1.mga1
bacula-sd-5.0.3-2.1.mga1
bacula-tray-monitor-5.0.3-2.1.mga1
libbacula-5.0.3-2.1.mga1

bacula-bat-5.0.3-2.1.mga2
bacula-common-5.0.3-2.1.mga2
bacula-console-5.0.3-2.1.mga2
bacula-console-wx-5.0.3-2.1.mga2
bacula-dir-common-5.0.3-2.1.mga2
bacula-dir-mysql-5.0.3-2.1.mga2
bacula-dir-pgsql-5.0.3-2.1.mga2
bacula-dir-sqlite3-5.0.3-2.1.mga2
bacula-fd-5.0.3-2.1.mga2
bacula-gui-bimagemgr-5.0.3-2.1.mga2
bacula-gui-brestore-5.0.3-2.1.mga2
bacula-gui-web-5.0.3-2.1.mga2
bacula-sd-5.0.3-2.1.mga2
bacula-tray-monitor-5.0.3-2.1.mga2
libbacula-5.0.3-2.1.mga2
Comment 13 claire robinson 2012-10-30 13:41:19 CET
For mga2 the current version is 5.0.3-3 so the update needs a version bump

Mga1 is ok as the current version is 5.0.3-2
Comment 14 David Walser 2012-10-30 15:38:40 CET
WTF happened here?  3.mga2 in the changelog shows it was rebuilt by ahmad in July 2011, but that does not appear in SVN!  Also I'm surprised the build system let me submit it as 2.1.mga2.

Anyway, I bumped the release tag and resubmitted.

Advisory:
========================

Updated bacula packages fix security vulnerabilities:

Some of the mtx-changer example autochangers in bacula before 5.2.1 could
allow local users to overwrite any local file via a symlink attack, due to
insecure temp file naming (CVE-2008-5373).

An information leak flaw was found in the way Bacula before 5.2.11 enforced
access control list (ACL) rules prior providing information about a
particular resource. A remote attacker could use this flaw to obtain
(possibly sensitive) information (CVE-2012-4430).

Additionally, two other security-related fixes from upstream have been
included.  One is a fix for a possible fnmatch problem, and the other adds
rate limiting of bad connections.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html
https://bugzilla.redhat.com/show_bug.cgi?id=857955
http://www.debian.org/security/2012/dsa-2558
========================

Updated packages in core/updates_testing:
========================
libbacula-5.0.3-2.1.mga1
bacula-common-5.0.3-2.1.mga1
bacula-dir-common-5.0.3-2.1.mga1
bacula-dir-mysql-5.0.3-2.1.mga1
bacula-dir-pgsql-5.0.3-2.1.mga1
bacula-dir-sqlite3-5.0.3-2.1.mga1
bacula-console-5.0.3-2.1.mga1
bacula-console-wx-5.0.3-2.1.mga1
bacula-bat-5.0.3-2.1.mga1
bacula-fd-5.0.3-2.1.mga1
bacula-sd-5.0.3-2.1.mga1
bacula-gui-web-5.0.3-2.1.mga1
bacula-gui-bimagemgr-5.0.3-2.1.mga1
bacula-gui-brestore-5.0.3-2.1.mga1
bacula-tray-monitor-5.0.3-2.1.mga1
libbacula-5.0.3-3.1.mga2
bacula-common-5.0.3-3.1.mga2
bacula-dir-common-5.0.3-3.1.mga2
bacula-dir-mysql-5.0.3-3.1.mga2
bacula-dir-pgsql-5.0.3-3.1.mga2
bacula-dir-sqlite3-5.0.3-3.1.mga2
bacula-console-5.0.3-3.1.mga2
bacula-console-wx-5.0.3-3.1.mga2
bacula-bat-5.0.3-3.1.mga2
bacula-fd-5.0.3-3.1.mga2
bacula-sd-5.0.3-3.1.mga2
bacula-gui-web-5.0.3-3.1.mga2
bacula-gui-bimagemgr-5.0.3-3.1.mga2
bacula-gui-brestore-5.0.3-3.1.mga2
bacula-tray-monitor-5.0.3-3.1.mga2

from SRPMS:
bacula-5.0.3-2.1.mga1.src.rpm
bacula-5.0.3-3.1.mga2.src.rpm
Comment 15 Dave Hodgins 2012-11-02 00:31:26 CET
Testing complete on Mageia 1 i586.

Found out that at least with postgresql, the database user has to be
created before installing bacula.

I used the guide at http://lucasmanual.com/mywiki/Bacula#Configure_Bacula
with the default configuration files.  Using the bconsole, was able to
run a job, etc.  The job failed with a message to the effect of "no
appendable volume found", but that's clearly just a configuration
problem.

I'll test with mysql on Mageia 1 x86-64.
Comment 16 Dave Hodgins 2012-11-02 00:50:56 CET
Testing complete on Mageia 1 x86-64.

With mysql, have to remove the password from the db root user,
before installing.
Comment 17 Dave Hodgins 2012-11-02 01:12:33 CET
Testing complete on Mageia 2 i586.

Used the default mysql.  Using bconsole, created a label for the file
system storage, than ran the job, which backed up the configured
directories into /var/spool/bacula/label.
Comment 18 Dave Hodgins 2012-11-02 02:02:09 CET
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
bacula-5.0.3-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
bacula-5.0.3-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated bacula packages fix security vulnerabilities:

Some of the mtx-changer example autochangers in bacula before 5.2.1 could
allow local users to overwrite any local file via a symlink attack, due to
insecure temp file naming (CVE-2008-5373).

An information leak flaw was found in the way Bacula before 5.2.11 enforced
access control list (ACL) rules prior providing information about a
particular resource. A remote attacker could use this flaw to obtain
(possibly sensitive) information (CVE-2012-4430).

Additionally, two other security-related fixes from upstream have been
included.  One is a fix for a possible fnmatch problem, and the other adds
rate limiting of bad connections.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html
https://bugzilla.redhat.com/show_bug.cgi?id=857955
http://www.debian.org/security/2012/dsa-2558
Comment 19 Dave Hodgins 2012-11-02 02:04:17 CET
Forgot to actually validate the update.

Could someone from the sysadmin team push the srpm
bacula-5.0.3-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
bacula-5.0.3-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated bacula packages fix security vulnerabilities:

Some of the mtx-changer example autochangers in bacula before 5.2.1 could
allow local users to overwrite any local file via a symlink attack, due to
insecure temp file naming (CVE-2008-5373).

An information leak flaw was found in the way Bacula before 5.2.11 enforced
access control list (ACL) rules prior providing information about a
particular resource. A remote attacker could use this flaw to obtain
(possibly sensitive) information (CVE-2012-4430).

Additionally, two other security-related fixes from upstream have been
included.  One is a fix for a possible fnmatch problem, and the other adds
rate limiting of bad connections.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ReleaseNotes
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/ChangeLog
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084347.html
https://bugzilla.redhat.com/show_bug.cgi?id=857955
http://www.debian.org/security/2012/dsa-2558

https://bugs.mageia.org/show_bug.cgi?id=7470
Comment 20 Thomas Backlund 2012-11-06 20:22:27 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0321

Note You need to log in before you can comment on or make changes to this bug.