sanlock: CVE-2012-5638

Debian Bug report logs - #696424
sanlock: CVE-2012-5638

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sanlock: CVE-2012-5638

Date: Thu, 20 Dec 2012 17:08:59 +0100

Package: sanlock
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5638

Cheers,
        Moritz

Message #10 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Martin Quinson <martin.quinson@loria.fr>

To: 696424@bugs.debian.org

Subject: Possible patch

Date: Mon, 24 Dec 2012 22:29:24 +0100

[Message part 1 (text/plain, inline)]

Hello,

attached is a possible patch for that issue. This is just a starting
point, as I was not able to test the patch myself. Also, I used 660 as
permissions to the file, I'm not sure of whether it's sensible or not.

Please review and test before applying.

HTH anyway,
Mt.

-- 
Nous avons neuf mois de vie privée avant de naître, ça devrait nous
suffire. -- Heathcote Williams, Actuel n°48, novembre 74.

[CVE-2012-5638.patch (text/x-diff, attachment)]

Message #17 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Martin Quinson <martin.quinson@loria.fr>, 696424@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#696424: Possible patch

Date: Thu, 3 Jan 2013 22:41:38 +0100

[Message part 1 (text/plain, inline)]

Hi

On Mon, Dec 24, 2012 at 10:29:24PM +0100, Martin Quinson wrote:
> attached is a possible patch for that issue. This is just a starting
> point, as I was not able to test the patch myself. Also, I used 660 as
> permissions to the file, I'm not sure of whether it's sensible or not.
> 
> Please review and test before applying.

I had too a look at this vulnerability during looking open RC bugs for
wheezy. I had a look at the upstream git repository and there are at
least [1], [2] and [3].

 [1]: http://git.fedorahosted.org/cgit/sanlock.git/commit/?id=3a2ba2d0fbe78f4eacd438b708ceff6e96903d37
 [2]: http://git.fedorahosted.org/cgit/sanlock.git/commit/?id=1339694c3bad23055f896e90353c81fd65bd4a7e
 [3]: http://git.fedorahosted.org/cgit/sanlock.git/commit/?id=9b13cb12973fac422423eec1c6a91f21b5257c92

Attached is the debdiff contianing these three refreshed for the
version in unstable and testing. But I'm not yet ready to propose a
NMU. Testing of the resulting package is welcome!

David, are you working too on it?

Regards
Salvatore

[sanlock_2.2-1.1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 696424@bugs.debian.org

Cc: Martin Quinson <martin.quinson@loria.fr>, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#696424: Possible patch

Date: Sat, 5 Jan 2013 09:44:25 +0100

Hi

Only a small follow-up. David (Maintainer of sanlock) will have a look
at this in the upcoming week.

Regards,
Salvatore

Message #27 received at 696424@bugs.debian.org (full text, mbox, reply):

From: "David Weber" <wb@munzinger.de>

To: "Salvatore Bonaccorso" <carnil@debian.org>, "Martin Quinson" <martin.quinson@loria.fr>, 696424@bugs.debian.org

Cc: "Moritz Muehlenhoff" <jmm@inutil.org>

Subject: Re: Bug#696424: Possible patch

Date: Mon, 7 Jan 2013 09:06:53 +0000

[Message part 1 (text/plain, inline)]

> Attached is the debdiff contianing these three refreshed for the
> version in unstable and testing. But I'm not yet ready to propose a
> NMU. Testing of the resulting package is welcome!

Thanks for the debdiff!

It works as expected: It creates the files with the right 
permissions without breaking functionality.

A problem could be that the files aren't freshly created by a simple
restart of the daemon. Should something be done about that?

Some options could be:
- Notify the user to stop libvirtd and sanlock and run 
rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log

- Change the file permissions through the package update

- Do nothing because most likely nobody uses sanlock on Debain atm.

Cheers,
David

[sanlock_2.2-1.1.debdiff (application/octet-stream, attachment)]

Message #32 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: David Weber <wb@munzinger.de>

Cc: Martin Quinson <martin.quinson@loria.fr>, 696424@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#696424: Possible patch

Date: Mon, 7 Jan 2013 21:31:44 +0100

[Message part 1 (text/plain, inline)]

Hi David

On Mon, Jan 07, 2013 at 09:06:53AM +0000, David Weber wrote:
> > Attached is the debdiff contianing these three refreshed for the
> > version in unstable and testing. But I'm not yet ready to propose a
> > NMU. Testing of the resulting package is welcome!
> 
> Thanks for the debdiff!
> 
> It works as expected: It creates the files with the right 
> permissions without breaking functionality.
> 
> A problem could be that the files aren't freshly created by a simple
> restart of the daemon. Should something be done about that?
> 
> Some options could be:
> - Notify the user to stop libvirtd and sanlock and run 
> rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log
> 
> - Change the file permissions through the package update
> 
> - Do nothing because most likely nobody uses sanlock on Debain atm.

I have not a final answer here, but it might be easy to implement like
libvirt-bin does in postint, mabye only conditionally checking (so
doing it during package update from a 'broken' version):

[...]
if ! dpkg-statoverride --list "/var/log/sanlock.log" >/dev/null 2>&1; then
	# fix permissions
fi
[...]

and the same for /var/run/sanlock/sanlock.sock.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 696424@bugs.debian.org (full text, mbox, reply):

From: "David Weber" <wb@munzinger.de>

To: "Salvatore Bonaccorso" <carnil@debian.org>

Cc: "Martin Quinson" <martin.quinson@loria.fr>, 696424@bugs.debian.org, "Moritz Muehlenhoff" <jmm@inutil.org>, agx@sigxcpu.org

Subject: Re: Bug#696424: Possible patch

Date: Thu, 10 Jan 2013 10:16:35 +0000

[Message part 1 (text/plain, inline)]

> Hi David
> 
> On Mon, Jan 07, 2013 at 09:06:53AM +0000, David Weber wrote:
> > > Attached is the debdiff contianing these three refreshed for the
> > > version in unstable and testing. But I'm not yet ready to propose a
> > > NMU. Testing of the resulting package is welcome!
> > 
> > Thanks for the debdiff!
> > 
> > It works as expected: It creates the files with the right 
> > permissions without breaking functionality.
> > 
> > A problem could be that the files aren't freshly created by a simple
> > restart of the daemon. Should something be done about that?
> > 
> > Some options could be:
> > - Notify the user to stop libvirtd and sanlock and run 
> > rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log
> > 
> > - Change the file permissions through the package update
> > 
> > - Do nothing because most likely nobody uses sanlock on Debain atm.
> 
> I have not a final answer here, but it might be easy to implement like
> libvirt-bin does in postint, mabye only conditionally checking (so
> doing it during package update from a 'broken' version):
> 
> [...]
> if ! dpkg-statoverride --list "/var/log/sanlock.log" >/dev/null 2>&1; then
>         # fix permissions
> fi
> [...]
> 
> and the same for /var/run/sanlock/sanlock.sock.

Great hint. I modified the patch in that way and also added the 
fix for #689696

Guido, can you pull that debdiff directly or should I send you 
an updated debian.tar.gz?


> 
> Regards,
> Salvatore

To: carnil@debian.org
Cc: martin.quinson@loria.fr
    696424@bugs.debian.org
    jmm@inutil.org
    agx@sigxcpu.org

[sanlock_cve.debdiff (application/octet-stream, attachment)]

Message #42 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: David Weber <wb@munzinger.de>, 696424@bugs.debian.org

Cc: Martin Quinson <martin.quinson@loria.fr>, Moritz Muehlenhoff <jmm@inutil.org>, agx@sigxcpu.org

Subject: Re: Bug#696424: Possible patch

Date: Thu, 10 Jan 2013 19:00:19 +0100

[Message part 1 (text/plain, inline)]

Hi David

On Thu, Jan 10, 2013 at 10:16:35AM +0000, David Weber wrote:
> > Hi David
> > 
> > On Mon, Jan 07, 2013 at 09:06:53AM +0000, David Weber wrote:
> > > > Attached is the debdiff contianing these three refreshed for the
> > > > version in unstable and testing. But I'm not yet ready to propose a
> > > > NMU. Testing of the resulting package is welcome!
> > > 
> > > Thanks for the debdiff!
> > > 
> > > It works as expected: It creates the files with the right 
> > > permissions without breaking functionality.
> > > 
> > > A problem could be that the files aren't freshly created by a simple
> > > restart of the daemon. Should something be done about that?
> > > 
> > > Some options could be:
> > > - Notify the user to stop libvirtd and sanlock and run 
> > > rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log
> > > 
> > > - Change the file permissions through the package update
> > > 
> > > - Do nothing because most likely nobody uses sanlock on Debain atm.
> > 
> > I have not a final answer here, but it might be easy to implement like
> > libvirt-bin does in postint, mabye only conditionally checking (so
> > doing it during package update from a 'broken' version):
> > 
> > [...]
> > if ! dpkg-statoverride --list "/var/log/sanlock.log" >/dev/null 2>&1; then
> >         # fix permissions
> > fi
> > [...]
> > 
> > and the same for /var/run/sanlock/sanlock.sock.
> 
> Great hint. I modified the patch in that way and also added the 
> fix for #689696

Btw, after thinking about further on it: As both /var/log/sanlock.log
and /var/run/sanlock/sanlock.sock are not files installed by the
package, I think the check with dpkg-statoverride is in this case
wrong! Sorry about the wrong suggestion.

So I think it's best to remove this again.

Regarding the second: I suggest to include in this upload only fixes
compliant with the freeze policy: 

 [1]: http://release.debian.org/wheezy/freeze_policy.html

(but I have not looked if #689696 can be considered RC).

+sanlock (2.2-1.1) unstable; urgency=low
+
+  * Fix CVE-2012-5638 sanlock world writable /var/log/sanlock.log. Thanks to Salvatore Bonaccorso (Closes: #696424)

^^^^ would wrap this line

+    Add patches cherry-picked from git repository:
+     - 0001-sanlock-remove-umask-0.patch
+     - 0001-sanlock-use-lockfile-mode-644.patch
+     - 0001-wdmd-use-lockfile-mode-644.patch
+  * Replace restrict field name (Closes: #689696)
+    Add patche cherry.picked from git repository:

         ^^^^^ s{patche}{patch} and s{cherry.picked}{cherry picked}

Again thanks for your work!

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 696424@bugs.debian.org (full text, mbox, reply):

From: "David Weber" <wb@munzinger.de>

To: "Salvatore Bonaccorso" <carnil@debian.org>, 696424@bugs.debian.org

Cc: "Martin Quinson" <martin.quinson@loria.fr>, "Moritz Muehlenhoff" <jmm@inutil.org>, agx@sigxcpu.org

Subject: Re: Bug#696424: Possible patch

Date: Tue, 15 Jan 2013 12:25:48 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore

> Hi David
> 
> On Thu, Jan 10, 2013 at 10:16:35AM +0000, David Weber wrote:
> > > Hi David
> > > 
> > > On Mon, Jan 07, 2013 at 09:06:53AM +0000, David Weber wrote:
> > > > > Attached is the debdiff contianing these three refreshed for the
> > > > > version in unstable and testing. But I'm not yet ready to propose a
> > > > > NMU. Testing of the resulting package is welcome!
> > > > 
> > > > Thanks for the debdiff!
> > > > 
> > > > It works as expected: It creates the files with the right 
> > > > permissions without breaking functionality.
> > > > 
> > > > A problem could be that the files aren't freshly created by a simple
> > > > restart of the daemon. Should something be done about that?
> > > > 
> > > > Some options could be:
> > > > - Notify the user to stop libvirtd and sanlock and run 
> > > > rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log
> > > > 
> > > > - Change the file permissions through the package update
> > > > 
> > > > - Do nothing because most likely nobody uses sanlock on Debain atm.
> > > 
> > > I have not a final answer here, but it might be easy to implement like
> > > libvirt-bin does in postint, mabye only conditionally checking (so
> > > doing it during package update from a 'broken' version):
> > > 
> > [...]
> > > > if ! dpkg-statoverride --list "/var/log/sanlock.log" >/dev/null 2>&1; then
> > > # fix permissions
> > > fi
> > > [...]
> > > 
> > > and the same for /var/run/sanlock/sanlock.sock.
> > 
> > Great hint. I modified the patch in that way and also added the 
> > fix for #689696
> 
> Btw, after thinking about further on it: As both /var/log/sanlock.log
> and /var/run/sanlock/sanlock.sock are not files installed by the
> package, I think the check with dpkg-statoverride is in this case
> wrong! Sorry about the wrong suggestion.
> 
> So I think it's best to remove this again.

Ops, thats right. I now check the permissions and change
them in case they are wrong


> 
> Regarding the second: I suggest to include in this upload only fixes
> compliant with the freeze policy: 
> 
> [1]: http://release.debian.org/wheezy/freeze_policy.html
> 
> (but I have not looked if #689696 can be considered RC).

Since it is a build fix, I guess it classifys

> 
> +sanlock (2.2-1.1) unstable; urgency=low
> +
> + * Fix CVE-2012-5638 sanlock world writable /var/log/sanlock.log. Thanks to Salvatore Bonaccorso > (Closes: #696424)
> 
> ^^^^ would wrap this line
> 
> + Add patches cherry-picked from git repository:
> + - 0001-sanlock-remove-umask-0.patch
> + - 0001-sanlock-use-lockfile-mode-644.patch
> + - 0001-wdmd-use-lockfile-mode-644.patch
> + * Replace restrict field name (Closes: #689696)
> + Add patche cherry.picked from git repository:
> 
> ^^^^^ s{patche}{patch} and s{cherry.picked}{cherry picked}

Ops, fixed

> 
> Again thanks for your work!

Thank you too!

> 
> Regards,
> Salvatore
Cheers,
David

To: carnil@debian.org
    696424@bugs.debian.org
Cc: martin.quinson@loria.fr
    jmm@inutil.org
    agx@sigxcpu.org

[sanlock_cve2.debdiff (application/octet-stream, attachment)]

Message #52 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: David Weber <wb@munzinger.de>

Cc: 696424@bugs.debian.org, Martin Quinson <martin.quinson@loria.fr>, Moritz Muehlenhoff <jmm@inutil.org>, agx@sigxcpu.org

Subject: Re: Bug#696424: Possible patch

Date: Wed, 16 Jan 2013 08:20:26 +0100

Hi David and Guido

Thanks for the further update. Guido are you sponsoring also this
upload from David (as you might better know sanlock). If you have not
time at the moment I can try to to upload David's update in the
comming days.

Regards,
Salvatore

Message #57 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: David Weber <wb@munzinger.de>, 696424@bugs.debian.org, Martin Quinson <martin.quinson@loria.fr>, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#696424: Possible patch

Date: Wed, 16 Jan 2013 08:37:21 +0100

Hi Salvatore,
On Wed, Jan 16, 2013 at 08:20:26AM +0100, Salvatore Bonaccorso wrote:
> Hi David and Guido
> 
> Thanks for the further update. Guido are you sponsoring also this
> upload from David (as you might better know sanlock). If you have not
> time at the moment I can try to to upload David's update in the
> comming days.

I'd be great if you could sponsor this since you ironed out all the
details with David!
Cheers,
 -- Guido

> 
> Regards,
> Salvatore
> 

Message #62 received at 696424@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: David Weber <wb@munzinger.de>, 696424@bugs.debian.org

Cc: Martin Quinson <martin.quinson@loria.fr>, Moritz Muehlenhoff <jmm@inutil.org>, agx@sigxcpu.org

Subject: Re: Bug#696424: Possible patch

Date: Wed, 16 Jan 2013 22:37:02 +0100

Hi David

I uploaded your package, with the following small change: Version
number changed from 2.2-1.1 (NMU version number scheme) to 2.2-2 (as
you are maintainer).

Not required, but would help: Add patch header to the patches you add
in debian/patch, see [1].

 [1]: http://dep.debian.net/deps/dep3/

Regards,
Salvatore

Message #67 received at 696424-close@bugs.debian.org (full text, mbox, reply):

From: David Weber <wb@munzinger.de>

To: 696424-close@bugs.debian.org

Subject: Bug#696424: fixed in sanlock 2.2-2

Date: Wed, 16 Jan 2013 21:48:13 +0000

Source: sanlock
Source-Version: 2.2-2

We believe that the bug you reported is fixed in the latest version of
sanlock, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Weber <wb@munzinger.de> (supplier of updated sanlock package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Jan 2013 22:12:33 +0100
Source: sanlock
Binary: sanlock libsanlock-client1 libsanlock-dev
Architecture: source amd64
Version: 2.2-2
Distribution: unstable
Urgency: low
Maintainer: David Weber <wb@munzinger.de>
Changed-By: David Weber <wb@munzinger.de>
Description: 
 libsanlock-client1 - shared storage lock manager (client library)
 libsanlock-dev - shared storage lock manager (development files)
 sanlock    - shared storage lock manager
Closes: 689696 696424
Changes: 
 sanlock (2.2-2) unstable; urgency=low
 .
   * Fix CVE-2012-5638 sanlock world writable /var/log/sanlock.log.
     Thanks to Salvatore Bonaccorso (Closes: #696424)
     Add patches cherry-picked from git repository:
      - 0001-sanlock-remove-umask-0.patch
      - 0001-sanlock-use-lockfile-mode-644.patch
      - 0001-wdmd-use-lockfile-mode-644.patch
   * Replace restrict field name (Closes: #689696)
     Add patch cherry-picked from git repository:
      - restrict.patch
Checksums-Sha1: 
 a205e34a5ef2e387f7e511978c1e2fc1619eebc2 1825 sanlock_2.2-2.dsc
 311da627f0daf4ec4aaa1bede5a8b795532669ac 9410 sanlock_2.2-2.debian.tar.gz
 b29a37da4c85842437340efd14b6d46da758eb1b 112110 sanlock_2.2-2_amd64.deb
 647bc244a0cc8ba69e8833b80908dd7453153637 9698 libsanlock-client1_2.2-2_amd64.deb
 c578a8120a3d9ead344074020f3268c2a5375435 5858 libsanlock-dev_2.2-2_amd64.deb
Checksums-Sha256: 
 1a68c41bebf077e9dc98df73f1a702ccd50fb1a3c5eba8c0f06e71d01ae6b221 1825 sanlock_2.2-2.dsc
 d792c8e5b709df190ef9897164d84013905ab4fa221c51ed8c83410c5bd9ec3f 9410 sanlock_2.2-2.debian.tar.gz
 7674e4b376e02910d7dba21866ac73cfca62714622ca2aa583e68cc60163f9f6 112110 sanlock_2.2-2_amd64.deb
 a10b24546e4866b10c5e5fe12c6bcf36ee5b98b055316df583c1179dfd3fad47 9698 libsanlock-client1_2.2-2_amd64.deb
 0743507745b851e9fc1b9b31c2c4c5cd5617967277b30ca991572cf8c540d40a 5858 libsanlock-dev_2.2-2_amd64.deb
Files: 
 57d7b01349eb07741723f1cdcdc7acd0 1825 libs optional sanlock_2.2-2.dsc
 1a13a28e0cda2e5365561453b0716479 9410 libs optional sanlock_2.2-2.debian.tar.gz
 53acb0f2df3e5506bedcb69e497e3a09 112110 libs optional sanlock_2.2-2_amd64.deb
 32aa85948df25bfd304f3f94e814834b 9698 libs optional libsanlock-client1_2.2-2_amd64.deb
 0153758bad90eedbc07981bfd6ca81ef 5858 libdevel optional libsanlock-dev_2.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ9xxxAAoJEHidbwV/2GP+xcAP/31GvUkcsHQVRZNpvDp6lcOE
dOi2wIwR6hLcVHdHCEK6juLq1fNTkEBzbbJdFla0ktWutxBSt6hH9KOU1YvIv0Cb
sFevf9ik45Vd57i8O7V1CNq/+wVBS9PkEti+KxIMYyBj/o0bcIWglcLZCm77uWhG
B53p8+psAWGcIosh/DpJz+dba/Wqui0/1vDzjgvww6edsEG4MG3CKezMnKQZaavw
lV37TJ5Yq9jGn11vbpzeqReKGvTtYBilJPwxWEkp+ptSAifSQPE62xJ0E6boWqCw
DCQz3DtbBEQU8731VhD85Hwg9OIotO7rHkGeiEblSlkT6uGPAJt1ctAdxldOWt9v
XbUXKuZ10HKC/O/R9/pEqQSPy7kkvX/DI7p5zf+ZhNHASTJ8ynPPcMlsXBVtoe+R
nN2kxGGUh5s4wR9rzF5ZxOj+zd8U5zB6JSUc+LZrZh4DxFuqVV6X3s4YT/rkenJg
jZpljGGWTsyeXGx2W3WCzEuJ+vb/QrZ/BnWpoJVUBAAY65toS/4+McaXhBMfHvD9
5GSl9fP/dHafxFqzst1TSmJH04PoMYnVdImZquitJVxp4P2Rf0kgZykgPAG+idFK
q3gxNZwD0kfi0eaWUSW6EjAITZk384GxfkH8PgUqRA0nU17SIgOATP6aJUSaKLLI
eyq3iuYuDrPIZxU/M9Mn
=dCPq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.