And here is the patch.
Lukáš Nykrýn píše v Pá 07. 10. 2011 v 13:05 +0200:
> Some autochanger scripts allows local users to overwrite arbitrary files
> via a symlink attack on a /tmp/mtx.##### temporary file. In some of
> these scripts this issue was corrected so I have wrote patch which
> should correct the remaining.
>
> More info:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
> https://bugzilla.redhat.com/show_bug.cgi?id=475469
> http://lists.debian.org/debian-devel/2008/08/msg00347.html
> http://uvw.ru/report.sid.txt
>
> Lukáš Nykrýn
diff -up bacula-5.0.3/examples/autochangers/ak-mtx-changer.txt.old bacula-5.0.3/examples/autochangers/ak-mtx-changer.txt
diff -up bacula-5.0.3/examples/autochangers/bacula-barcodes.old bacula-5.0.3/examples/autochangers/bacula-barcodes
diff -up bacula-5.0.3/examples/autochangers/chio-bacula.old bacula-5.0.3/examples/autochangers/chio-bacula
--- bacula-5.0.3/examples/autochangers/chio-bacula.old 2011-10-07 12:41:38.226790662 +0200
+++ bacula-5.0.3/examples/autochangers/chio-bacula 2011-10-07 12:22:45.488951832 +0200
@@ -119,11 +119,12 @@ case ${COMMAND} in
loaded)
# echo "Request loaded"
- ${MTX} -f ${CHANGER} status -S > /tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ ${MTX} -f ${CHANGER} status -S > $tempfile
rtn=$?
- cat /tmp/mtx.$$ | grep "^drive ${DRIVE}: <FULL>" | awk '{print $6+1}' | tr -d ">"
- cat /tmp/mtx.$$ | grep "^drive ${DRIVE}: source: <>" | awk "{print 0}"
- rm -f /tmp/mtx.$$
+ cat $tempfile | grep "^drive ${DRIVE}: <FULL>" | awk '{print $6+1}' | tr -d ">"
+ cat $tempfile | grep "^drive ${DRIVE}: source: <>" | awk "{print 0}"
+ rm -f $tempfile
exit $rtn
;;
diff -up bacula-5.0.3/examples/autochangers/chio-changer.old bacula-5.0.3/examples/autochangers/chio-changer
diff -up bacula-5.0.3/examples/autochangers/chio-changer.Sony-TSL-SA300C.old bacula-5.0.3/examples/autochangers/chio-changer.Sony-TSL-SA300C
--- bacula-5.0.3/examples/autochangers/chio-changer.Sony-TSL-SA300C.old 2011-10-07 12:41:38.227790649 +0200
+++ bacula-5.0.3/examples/autochangers/chio-changer.Sony-TSL-SA300C 2011-10-07 12:22:36.322066435 +0200
@@ -129,14 +129,15 @@ case ${COMMAND} in
loaded)
# echo "Request loaded"
- ${MTX} -f ${CHANGER} status -S > /tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ ${MTX} -f ${CHANGER} status -S > $tempfile
rtn=$?
- cat /tmp/mtx.$$ | grep "^slot .: <ACCESS>" | awk '{print $2+1}' | tr -d ":"
- drive=`cat /tmp/mtx.$$ | grep "^drive .: <ACCESS>"`
+ cat $tempfile | grep "^slot .: <ACCESS>" | awk '{print $2+1}' | tr -d ":"
+ drive=`cat $tempfile | grep "^drive .: <ACCESS>"`
if [ -n "$drive" ]; then
echo 0
fi
- rm -f /tmp/mtx.$$
+ rm -f $tempfile
exit $rtn
;;
diff -up bacula-5.0.3/examples/autochangers/locking-mtx-changer.old bacula-5.0.3/examples/autochangers/locking-mtx-changer
--- bacula-5.0.3/examples/autochangers/locking-mtx-changer.old 2011-10-07 12:41:38.227790649 +0200
+++ bacula-5.0.3/examples/autochangers/locking-mtx-changer 2011-10-07 12:03:51.698126167 +0200
@@ -141,11 +141,12 @@ case $cmd in
;;
loaded)
- ${MTX} -f $ctl status >/tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ ${MTX} -f $ctl status > $tempfile
rtn=$?
- cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}"
- cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}"
- rm -f /tmp/mtx.$$
+ cat $tempfile | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}"
+ cat $tempfile | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}"
+ rm -f $tempfile
changer_unlock $ctl
exit $rtn
;;
diff -up bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-100.old bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-100
--- bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-100.old 2011-10-07 12:41:38.229790623 +0200
+++ bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-100 2011-10-07 12:23:19.041532367 +0200
@@ -372,17 +372,18 @@ case "$2" in
loaded)
echo "Request loaded, DREW YOU HAVEN'T IMPLEMENTED YET!!!!"
- ${MTX} -f $1 status >/tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ ${MTX} -f $1 status >$tempfile
rtn=$?
- cat /tmp/mtx.$$ | grep "^Data Transfer Element 0:Full" | awk "{print
+ cat $tempfile | grep "^Data Transfer Element 0:Full" | awk "{print
\$7}"
- cat /tmp/mtx.$$ | grep "^Data Transfer Element 0:Empty" | awk "{print
+ cat $tempfile | grep "^Data Transfer Element 0:Empty" | awk "{print
0}"
-# cat /tmp/mtx.$$ | grep "^Data Transfer Element 1:Full" | awk "{print
+# cat $tempfile | grep "^Data Transfer Element 1:Full" | awk "{print
\$7}"
-# cat /tmp/mtx.$$ | grep "^Data Transfer Element 1:Empty" | awk
+# cat $tempfile | grep "^Data Transfer Element 1:Empty" | awk
"{print 0}"
- rm -f /tmp/mtx.$$
+ rm -f $tempfile
echo "mtx-changer returning value: $rtn"
exit $rtn
diff -up bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-24.old bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-24
--- bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-24.old 2011-10-07 12:41:38.229790623 +0200
+++ bacula-5.0.3/examples/autochangers/mtx-changer.Adic-Scalar-24 2011-10-07 12:03:42.882236382 +0200
@@ -105,8 +105,8 @@ case $cmd in
tempfile=`mktemp -t` || exit 33
${MTX} -f $ctl status > $tempfile
rtn=$?
- cat $tempfile | grep "^Data Transfer Element $drive:Full" | awk '{print $7}'
- cat $tempfile | grep "^Data Transfer Element $drive:Empty" | awk '{print 0}'
+ cat $tempfile | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}"
+ cat $tempfile | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}"
rm -f $tempfile
exit $rtn
;;
diff -up bacula-5.0.3/examples/autochangers/mtx-changer.Sony-TSL-SA300C.old bacula-5.0.3/examples/autochangers/mtx-changer.Sony-TSL-SA300C
diff -up bacula-5.0.3/examples/autochangers/mtx-changer.StorageTek-HPA4853.old bacula-5.0.3/examples/autochangers/mtx-changer.StorageTek-HPA4853
--- bacula-5.0.3/examples/autochangers/mtx-changer.StorageTek-HPA4853.old 2011-10-07 12:41:38.231790597 +0200
+++ bacula-5.0.3/examples/autochangers/mtx-changer.StorageTek-HPA4853 2011-10-07 12:46:55.953818526 +0200
@@ -51,10 +51,11 @@ case "$2" in
#
#Check if you want to fool me
if [ $MTXCHVERBOSE -eq 1 ] ; then echo "mtx-changer: Checking if drive is loaded before we unload. I Request loaded" ; fi
- mtx -f $1 status >/tmp/mtx.$$
+ mtx -f $1 status >$tempfile
rm -f /tmp/mtxloaded
- cat /tmp/mtx.$$ | grep "^Data Transfer Element 0:Full" | awk "{print \$7}" > /tmp/mtxloaded
- rm -f /tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ cat $tempfile | grep "^Data Transfer Element 0:Full" | awk "{print \$7}" > /tmp/mtxloaded
+ rm -f $tempfile
read LOADEDVOL </tmp/mtxloaded
if [ -z "$LOADEDVOL" ] ; then
LOADEDVOL=0
@@ -71,10 +72,11 @@ case "$2" in
load)
#Let's check if drive is loaded before we load it
if [ $MTXCHVERBOSE -eq 1 ] ; then echo "mtx-changer: Checking if drive is loaded before we load. I Request loaded" ; fi
- mtx -f $1 status >/tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ mtx -f $1 status >$tempfile
rm -f /tmp/mtxloaded
- cat /tmp/mtx.$$ | grep "^Data Transfer Element 0:Full" | awk "{print \$7}" > /tmp/mtxloaded
- rm -f /tmp/mtx.$$
+ cat $tempfile | grep "^Data Transfer Element 0:Full" | awk "{print \$7}" > /tmp/mtxloaded
+ rm -f $tempfile
read LOADEDVOL </tmp/mtxloaded
if [ -z "$LOADEDVOL" ] ; then
LOADEDVOL=0
@@ -124,10 +126,11 @@ case "$2" in
loaded)
if [ $MTXCHVERBOSE -eq 1 ] ; then echo "mtx-changer: Request loaded" ; fi
- mtx -f $1 status >/tmp/mtx.$$
- cat /tmp/mtx.$$ | grep "^Data Transfer Element 0:Full" | awk "{print \$7}"
- cat /tmp/mtx.$$ | grep "^Data Transfer Element 0:Empty" | awk "{print 0}"
- rm -f /tmp/mtx.$$
+ rm -f /tmp/mtxloaded
+ mtx -f $1 status >/tmp/$tempfile
+ cat $tempfile | grep "^Data Transfer Element 0:Full" | awk "{print \$7}"
+ cat $tempfile | grep "^Data Transfer Element 0:Empty" | awk "{print 0}"
+ rm -f $tempfile
;;
slots)
diff -up bacula-5.0.3/examples/autochangers/multiple-drive-changer.txt.old bacula-5.0.3/examples/autochangers/multiple-drive-changer.txt
diff -up bacula-5.0.3/examples/autochangers/rc-chio-changer.old bacula-5.0.3/examples/autochangers/rc-chio-changer
diff -up bacula-5.0.3/examples/autochangers/solaris-mtx-changer.old bacula-5.0.3/examples/autochangers/solaris-mtx-changer
--- bacula-5.0.3/examples/autochangers/solaris-mtx-changer.old 2011-10-07 12:41:38.233790573 +0200
+++ bacula-5.0.3/examples/autochangers/solaris-mtx-changer 2011-10-07 12:03:54.097096176 +0200
@@ -142,11 +142,12 @@ case $cmd in
;;
loaded)
- ${MTX} -f $ctl status >/tmp/mtx.$$
+ tempfile=`mktemp -t` || exit 33
+ ${MTX} -f $ctl status > $tempfile
rtn=$?
- cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}"
- cat /tmp/mtx.$$ | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}"
- rm -f /tmp/mtx.$$
+ cat $tempfile | grep "^Data Transfer Element $drive:Full" | awk "{print \$7}"
+ cat $tempfile | grep "^Data Transfer Element $drive:Empty" | awk "{print 0}"
+ rm -f $tempfile
exit $rtn
;;
diff -up bacula-5.0.3/examples/autochangers/Sun-desktop-20Gb-4mm-autoloader.old bacula-5.0.3/examples/autochangers/Sun-desktop-20Gb-4mm-autoloader
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
