Ubuntu
open-iscsi package

Temporary file vulnerability in iscsi_discovery

Bug #408915 reported by Colin Watson
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
open-iscsi (Ubuntu)
Fix Released
Low
Unassigned
Hardy
Fix Released
Low
Jamie Strandboge
Intrepid
Invalid
Low
Unassigned
Jaunty
Won't Fix
Low
Unassigned
Karmic
Fix Released
Low
Unassigned

Bug Description

Binary package hint: open-iscsi

The iscsi_discovery shell script, typically run as root, contains the following code:

        df=/tmp/discovered.$$

        dbg "starting discovery to $ip"
        iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df}

This is a standard security vulnerability and should be replaced by use of mktemp.

Revision history for this message
Colin Watson (cjwatson) wrote :
Revision history for this message
Kees Cook (kees) wrote :

CVE-2009-1297

visibility: private → public
Revision history for this message
Kees Cook (kees) wrote :

This is public now, feel free to upload once the freeze clears.

Changed in open-iscsi (Ubuntu Karmic):
status: New → Confirmed
Changed in open-iscsi (Ubuntu Hardy):
status: New → Confirmed
importance: Undecided → Low
Changed in open-iscsi (Ubuntu Karmic):
importance: Undecided → Low
Changed in open-iscsi (Ubuntu Intrepid):
importance: Undecided → Low
status: New → Confirmed
Changed in open-iscsi (Ubuntu Jaunty):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package open-iscsi - 2.0.870.1-0ubuntu11

---------------
open-iscsi (2.0.870.1-0ubuntu11) karmic; urgency=low

  * open-iscsi-utils Replaces: old versions of open-iscsi.
  * SECURITY UPDATE: temporary file vulnerability (LP: #408915)
    - utils/iscsi_discovery: store iscsiadm -m discovery result in a
      variable rather than writing it to an insecurely-created temporary
      file
    - CVE-2009-1297

 -- Colin Watson <email address hidden> Mon, 24 Aug 2009 23:42:10 +0100

Changed in open-iscsi (Ubuntu Karmic):
status: Confirmed → Fix Released
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in open-iscsi (Ubuntu Intrepid):
status: Confirmed → Invalid
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010. The bug is marked as fixed in later versions of Ubuntu

Changed in open-iscsi (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand)
Changed in open-iscsi (Ubuntu Hardy):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand)
Changed in open-iscsi (Ubuntu Hardy):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in open-iscsi (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package open-iscsi - 2.0.865-1ubuntu3.5

---------------
open-iscsi (2.0.865-1ubuntu3.5) hardy-security; urgency=low

  * SECURITY UPDATE: temporary file vulnerability (LP: #408915)
    - utils/iscsi_discovery: use mktemp to store iscsiadm -m discovery result
      rather than writing it to an insecurely-created temporary file. Move
      cleanup sooner so we don't leave files around if nothing is discovered.
    - CVE-2009-1297
 -- Jamie Strandboge <email address hidden> Thu, 20 Oct 2011 14:23:00 -0500

Changed in open-iscsi (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.