Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Insecure temporary file name in iscsi_discovery

Related Vulnerabilities: CVE-2009-1297  

Source

Debian Bug report logs - #547011
Insecure temporary file name in iscsi_discovery

version graph

Package: open-iscsi; Maintainer for open-iscsi is Debian iSCSI Maintainers <open-iscsi@packages.debian.org>; Source for open-iscsi is src:open-iscsi (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 16 Sep 2009 20:15:11 UTC

Severity: grave

Tags: patch, security

Fixed in versions open-iscsi/2.0.871-1, open-iscsi/2.0.870~rc3-0.4.1

Done: Ritesh Raj Sarraf <rrs@researchut.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Philipp Hug <debian@hug.cx>:
Bug#547011; Package open-iscsi. (Wed, 16 Sep 2009 20:15:14 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Philipp Hug <debian@hug.cx>. (Wed, 16 Sep 2009 20:15:15 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Insecure temporary file name in iscsi_discovery
Date: Wed, 16 Sep 2009 22:08:04 +0200
Package: open-iscsi
Severity: important
Tags: security

The following report was send to us by Kees Cook, this is CVE-2009-1297.

There are currently more important issues scheduled for DSAs, please fix
this one by preparing an update for the next stable point update. Etch
is not affected.

Cheers,
        Moritz

Colin Watson reported the following bug:
https://launchpad/bugs/408915

  The iscsi_discovery shell script, typically run as root, contains the
  following code:

        df=/tmp/discovered.$$

        dbg "starting discovery to $ip"
        iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df}

  This is a standard security vulnerability and should be replaced by use of
  mktemp or shell variables.

The proposed patch is attached.

diff -u open-iscsi-2.0.870.1/utils/iscsi_discovery open-iscsi-2.0.870.1/utils/iscsi_discovery
--- open-iscsi-2.0.870.1/utils/iscsi_discovery
+++ open-iscsi-2.0.870.1/utils/iscsi_discovery
@@ -128,24 +128,22 @@

        connected=0
        discovered=0
-       df=/tmp/discovered.$$

        dbg "starting discovery to $ip"
-       iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df}
-       while read portal target
+       disc="$(iscsiadm -m discovery --type sendtargets --portal ${ip}:${port})"
+       echo "${disc}" | while read portal target
        do
                portal=${portal%,*}
                select_transport
-       done < ${df}
+       done

-       discovered=$(cat ${df} | wc -l)
+       discovered=$(echo "${disc}" | wc -l)
        if [ ${discovered} = 0 ]; then
                echo "failed to discover targets at ${ip}"
                exit 2
        else
                echo "discovered ${discovered} targets at ${ip}"
        fi
-       /bin/rm -f ${df}
 }

 try_login()


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages open-iscsi depends on:
ii  libc6                         2.9-26     GNU C Library: Shared libraries

open-iscsi recommends no packages.

open-iscsi suggests no packages.

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Wed, 02 Dec 2009 21:21:12 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Sat, 23 Jan 2010 16:33:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#547011; Package open-iscsi. (Sat, 23 Jan 2010 17:15:02 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. (Sat, 23 Jan 2010 17:15:02 GMT) (full text, mbox, link).

Message #14 received at 547011@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: 547011@bugs.debian.org
Subject: open-iscsi: diff for NMU version 2.0.870~rc3-0.6
Date: Sat, 23 Jan 2010 18:12:19 +0100
[Message part 1 (text/plain, inline)]
Dear maintainer,

I've prepared an NMU for open-iscsi (versioned as 2.0.870~rc3-0.6) and
uploaded it to DELAYED/05. Please feel free to tell me if I
should delay it longer.

Regards.
 -- Guido

[open-iscsi-2.0.870~rc3-0.6-nmu.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#547011; Package open-iscsi. (Wed, 03 Feb 2010 16:33:08 GMT) (full text, mbox, link).

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. (Wed, 03 Feb 2010 16:33:08 GMT) (full text, mbox, link).

Message #19 received at 547011@bugs.debian.org (full text, mbox, reply):

From: Stefano Zacchiroli <zack@debian.org>
To: Guido Günther <agx@sigxcpu.org>
Cc: 547011@bugs.debian.org
Subject: Re: Bug#547011: open-iscsi: diff for NMU version 2.0.870~rc3-0.6
Date: Wed, 3 Feb 2010 17:25:46 +0100
On Sat, Jan 23, 2010 at 06:12:19PM +0100, Guido Günther wrote:
> I've prepared an NMU for open-iscsi (versioned as 2.0.870~rc3-0.6) and
> uploaded it to DELAYED/05. Please feel free to tell me if I
> should delay it longer.

Heya Guido,
  what happened to this NMU? I can't see it in DELAYED [1], and while it
should have expired about a week ago, it has not yet hit the archive:

  zack@usha:~$ rmadison open-iscsi
  open-iscsi |  2.0.730-1 |     etch-m68k | source, m68k
  open-iscsi | 2.0.730-1etch4 |     oldstable | source, alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
  open-iscsi | 2.0.870~rc3-0.4 |        stable | source, alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
  open-iscsi | 2.0.870~rc3-0.5 |       testing | source, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
  open-iscsi | 2.0.870~rc3-0.5 |      unstable | source, alpha, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc

nor it is in NEW.

Did you perhaps forget to upload? In that case let us know, so that
someone else with catch up, thanks to your patch :-)

Cheers.

[1] http://ftp-master.debian.org/deferred.html


-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..|  .  |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime

Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#547011; Package open-iscsi. (Wed, 03 Feb 2010 17:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. (Wed, 03 Feb 2010 17:06:03 GMT) (full text, mbox, link).

Message #24 received at 547011@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: Stefano Zacchiroli <zack@debian.org>
Cc: 547011@bugs.debian.org, Ritesh Raj Sarraf <rrs@researchut.com>
Subject: Re: Bug#547011: open-iscsi: diff for NMU version 2.0.870~rc3-0.6
Date: Wed, 3 Feb 2010 18:01:22 +0100
On Wed, Feb 03, 2010 at 05:25:46PM +0100, Stefano Zacchiroli wrote:
> On Sat, Jan 23, 2010 at 06:12:19PM +0100, Guido Günther wrote:
> > I've prepared an NMU for open-iscsi (versioned as 2.0.870~rc3-0.6) and
> > uploaded it to DELAYED/05. Please feel free to tell me if I
> > should delay it longer.
> 
> Heya Guido,
>   what happened to this NMU? I can't see it in DELAYED [1], and while it
> should have expired about a week ago, it has not yet hit the archive:
> 
>   zack@usha:~$ rmadison open-iscsi
>   open-iscsi |  2.0.730-1 |     etch-m68k | source, m68k
>   open-iscsi | 2.0.730-1etch4 |     oldstable | source, alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
>   open-iscsi | 2.0.870~rc3-0.4 |        stable | source, alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
>   open-iscsi | 2.0.870~rc3-0.5 |       testing | source, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
>   open-iscsi | 2.0.870~rc3-0.5 |      unstable | source, alpha, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
> 
> nor it is in NEW.
> 
> Did you perhaps forget to upload? In that case let us know, so that
> someone else with catch up, thanks to your patch :-)
It got lintian autorejected due to a statically linked binary. We're
currently preparing a new upload including a new upstream version and a
new maintainer:
	http://git.debian.org/?p=pkg-iscsi/open-iscsi.git;a=summary
Should be done in a couple of days.
Cheers,
 -- Guido

Added tag(s) pending. Request was from Ritesh Raj Sarraf <rrs@researchut.com> to control@bugs.debian.org. (Tue, 09 Feb 2010 19:06:08 GMT) (full text, mbox, link).

Bug closed, send any further explanations to Moritz Muehlenhoff <jmm@debian.org> Request was from Ritesh Raj Sarraf <rrs@researchut.com> to control@bugs.debian.org. (Wed, 10 Feb 2010 04:06:02 GMT) (full text, mbox, link).

Bug Marked as fixed in versions open-iscsi/2.0.871-1. Request was from Ritesh Raj Sarraf <rrs@researchut.com> to control@bugs.debian.org. (Tue, 16 Feb 2010 10:21:15 GMT) (full text, mbox, link).

Reply sent to Ritesh Raj Sarraf <rrs@researchut.com>:
You have taken responsibility. (Fri, 05 Mar 2010 19:54:12 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 05 Mar 2010 19:54:12 GMT) (full text, mbox, link).

Message #35 received at 547011-close@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@researchut.com>
To: 547011-close@bugs.debian.org
Subject: Bug#547011: fixed in open-iscsi 2.0.870~rc3-0.4.1
Date: Fri, 05 Mar 2010 19:52:51 +0000
Source: open-iscsi
Source-Version: 2.0.870~rc3-0.4.1

We believe that the bug you reported is fixed in the latest version of
open-iscsi, which is due to be installed in the Debian FTP archive:

open-iscsi_2.0.870~rc3-0.4.1.diff.gz
  to main/o/open-iscsi/open-iscsi_2.0.870~rc3-0.4.1.diff.gz
open-iscsi_2.0.870~rc3-0.4.1.dsc
  to main/o/open-iscsi/open-iscsi_2.0.870~rc3-0.4.1.dsc
open-iscsi_2.0.870~rc3-0.4.1_amd64.deb
  to main/o/open-iscsi/open-iscsi_2.0.870~rc3-0.4.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 547011@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ritesh Raj Sarraf <rrs@researchut.com> (supplier of updated open-iscsi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 04 Mar 2010 14:20:24 +0530
Source: open-iscsi
Binary: open-iscsi
Architecture: source amd64
Version: 2.0.870~rc3-0.4.1
Distribution: stable
Urgency: low
Maintainer: Philipp Hug <debian@hug.cx>
Changed-By: Ritesh Raj Sarraf <rrs@researchut.com>
Description: 
 open-iscsi - High performance, transport independent iSCSI implementation
Closes: 547011
Changes: 
 open-iscsi (2.0.870~rc3-0.4.1) stable; urgency=low
 .
   * Fix CVE-2009-1297 (Closes: #547011) - thanks to Colin Watson for
     the patch
Checksums-Sha1: 
 4d8d74235dc6ac11740fbccf1591e001e9c2c942 1771 open-iscsi_2.0.870~rc3-0.4.1.dsc
 5e746bf8e45c334ca7f6d3377843a3c539211821 9547 open-iscsi_2.0.870~rc3-0.4.1.diff.gz
 82db06f93ac59237010a0e08832cd7d3a4e1dc42 599844 open-iscsi_2.0.870~rc3-0.4.1_amd64.deb
Checksums-Sha256: 
 e77bc6e1d0f226cf4968c799779f2f139eea2637c09cda1c68a357694f910f3f 1771 open-iscsi_2.0.870~rc3-0.4.1.dsc
 ffef33589ce5c4d1c6bbfd738583afc704e151efd2fe6d491445a2edbf754f09 9547 open-iscsi_2.0.870~rc3-0.4.1.diff.gz
 c1008850038c9dfbc3c1fbdd2a64514d3241a7bdfefea3276ea40501d4cab790 599844 open-iscsi_2.0.870~rc3-0.4.1_amd64.deb
Files: 
 71875da184e07dc6aed20387f468dcd5 1771 net optional open-iscsi_2.0.870~rc3-0.4.1.dsc
 956fafb452dffd4dba550513aabfcddb 9547 net optional open-iscsi_2.0.870~rc3-0.4.1.diff.gz
 cff6a39ee79a1aacd3a4b2c553480481 599844 net optional open-iscsi_2.0.870~rc3-0.4.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJLkNUGAAoJEKY6WKPy4XVpQMkP/3szpx6zgfP7NaRBdGKqfj76
dubLttCQyl4tVJ9y7MbBC6kHAZk6l57eYLJmIJPD3p4R1S6cEtUobcGNrrEbvTnK
VC8Ee1WU6ssI1LOk6ASI4K6sZI2eVkqaCP5IT0GQdyTtLBkXwmNRJB3kCSFS8zyk
CDzy0xrGBye8yFxm1LWm5GadhrHPwOfpaKEicYQOnxqPEGzcG5lLjJyyqfM1BbUO
nMPn5pH+XUOPO4NorzOwYBrPuInPa+y1eftQfvc/npa2J8wZqJ+0fCYRv2pGdO7m
Qi+EGVPJYkF8BmAurlHUPFrQrRE7bBQF2TM+jEhYU/d2EMwQ/7xIrgmYZFKP25XT
q8FyhtVK5Ro55QlomwSyZlE0dLeA/q7BDTGe1v9tFfmYv2+yy/0pSOiEa5uJEXZ+
d4w72HZW00JVv1+rM9gLUpSvfocb9DUbYaS7ErgQjNoMK+kM9nxSNhVxXWpMGHuY
nLNOrMg9BfLe9nSmFasJbvdr0nLwr6uR+0QdlM31pcdjoajMRUoKWk7u6MX0PDRo
sN/KsaIfK40l3KWK69UIWENTHT8t03nLBruXVb+P/CH8aWsaoI7eDWLSNLKz9Xa0
JdVNTmULKUVct5JqlmPq5b+hjtWeg5yyaYT7m/BW6UUZ/2jw/5yko6QZaH/LHVtV
fdqi/cMWYL1l+uHRIHeY
=s5rC
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:32:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:07:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started