[ GLSA 200903-18 ] Openswan: Insecure temporary file creation Mar 09 2009 02:00PM
Robert Buchholz (rbu gentoo org) (1 replies)
Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation Mar 09 2009 08:12PM
Paul Wouters (paul xtdnet nl) (1 replies)
Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation Mar 10 2009 10:47AM
Robert Buchholz (rbu gentoo org)
Hello Paul,

On Monday 09 March 2009, Paul Wouters wrote:
> On Mon, 9 Mar 2009, Robert Buchholz wrote:
> > Subject: [ GLSA 200903-18 ] Openswan: Insecure temporary file
> > creation
>
> Once again, thanks to everyone for not contacting the Openswan
> Project in this matter just like they did not do this 6 months ago
> when this "vulnerability" came out originally.

We often contact upstream about security issues that we are tracking,
however in this case it seemed to be an error in our ebuild which
installed a script that was not intended to by upstream.

> > A local attacker could perform symlink attacks to execute arbitrary
> > code and overwrite arbitrary files with the privileges of the user
> > running the application.
>
> The ipsec livetest command was never called or used by anything in
> openswan as it was not finished. Furthermore, it was no longer
> installed AND explicitely disabled since:
>
> commit 4661d345b676d5412a52b6d1289568fc4ab31eac
> Author: Paul Wouters <paul (at) xelerance (dot) com [email concealed]>
> Date: Fri Nov 21 23:52:38 2008 -0600
>
> Skip installing livetest
>
> when we added:
>
> $ head -5 programs/livetest/livetest.in
> #!/bin/sh
>
> echo "currently not used"
> exit

True, however this was not the case in our ebuild for 2.4.13-r1 and
earlier. In current versions we do not install it anymore, which is
what you have recommended below as well.

> > Workaround
> > ==========
> >
> > There is no known workaround at this time.
>
> The ipsec livetest is not even used by anything within the openswan
> software. It is never called. No parts of openswan are called without
> root privs. This whole thing is moot. Please bury it. Or just remove
> the install of the livetest command in your build environment.
>
> Or just ship a newer version of openswanm like 2.6.20 instead of the
> latest "vulnerable" version in 2.6.16.
>
> > Resolution
> > ==========
> >
> > All Openswan users should upgrade to the latest version:
> >
> > # emerge --sync
> > # emerge --ask --oneshot --verbose
> > ">=net-misc/openswan-2.4.13-r2"
>
> Ahh. gentoo still uses the openswan-2.4.x version which has been EOL
> since early 2008.

The version of a software to move to stable or to remain in unstable
Gentoo is at the discretion of the maintainer, so I cannot comment on
the reasons for this.

> Also note that to problematic use was in wget -O. Perhaps one should
> talk to the wget people about symlink attack in their code instead?
>
> Paul

Robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iQIcBAABAgAGBQJJtkU1AAoJECaaHo/OfoM5CEIP/RBIAGAICZdOOcv70Z9fo+8t
nIFXSArFO196pWEU+lSMlSVuoddjicvFydBjYusk7TqPolnGYLdf2QZvPDtDBNCB
wYQvijhhTbFVIYp+5F7Am9ugS8Mo3lc7rKDxQrp4kkyWyhSaDlLZ5j06PkEMRa6j
dJZd9C7lk3cIZqI9YCOqI32YwnvHpAG2/RA2SR/Cd05l9tIvfTxQ/1Io87Arnqav
8dPtswP/U0SwSW9Efl0usWlKeMUwd4xEPDLWrnihk/LaDfFyg3krLnZ1bT6nXtfF
/0YHEYkw9Vn3rsIt54W5qAB12fRxEmT6xHijmCvNsPti2dAul3thkeqRO8oDfedz
Ntym07TKBvK66h8b/dOLQKOCj17rEZQWqi0LH7F1Y3j/Onx+R+HmKWsOjlARss2x
q1nud57+vmofTUdaQvZ9xm5+ROx6vS3IpVSHUzftqx36WCSA9Y7PMdFzMyrVop8M
rSbZ4rTd8+VQrZOfb4deExMqlvR01/SFMzD14QoIOFX4EHLr4FbmjPPMivbIm0Dg
3+TmMJwKHPf0BwU+9EibUnKzkJxVCZesBD7RkXLmictCGULxKchMujT4bnYDtiQG
4dPRpcDffrPtW5lvETkzLCC1xB/6yAfUEMvbFdHUjXiSq1JYco8HvT9c/JqsxDDU
AyS81MDefrxFKOSPWszu
=by6l
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus