[Secure-testing-team] Bug#547011: Insecure temporary file name in iscsi_discovery

Moritz Muehlenhoff jmm at debian.org
Wed Sep 16 20:08:04 UTC 2009 

Package: open-iscsi
Severity: important
Tags: security

The following report was send to us by Kees Cook, this is CVE-2009-1297.

There are currently more important issues scheduled for DSAs, please fix
this one by preparing an update for the next stable point update. Etch
is not affected.

Cheers,
        Moritz

Colin Watson reported the following bug:
https://launchpad/bugs/408915

  The iscsi_discovery shell script, typically run as root, contains the
  following code:

        df=/tmp/discovered.$$

        dbg "starting discovery to $ip"
        iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df}

  This is a standard security vulnerability and should be replaced by use of
  mktemp or shell variables.

The proposed patch is attached.

diff -u open-iscsi-2.0.870.1/utils/iscsi_discovery open-iscsi-2.0.870.1/utils/iscsi_discovery
--- open-iscsi-2.0.870.1/utils/iscsi_discovery
+++ open-iscsi-2.0.870.1/utils/iscsi_discovery
@@ -128,24 +128,22 @@

        connected=0
        discovered=0
-       df=/tmp/discovered.$$

        dbg "starting discovery to $ip"
-       iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df}
-       while read portal target
+       disc="$(iscsiadm -m discovery --type sendtargets --portal ${ip}:${port})"
+       echo "${disc}" | while read portal target
        do
                portal=${portal%,*}
                select_transport
-       done < ${df}
+       done

-       discovered=$(cat ${df} | wc -l)
+       discovered=$(echo "${disc}" | wc -l)
        if [ ${discovered} = 0 ]; then
                echo "failed to discover targets at ${ip}"
                exit 2
        else
                echo "discovered ${discovered} targets at ${ip}"
        fi
-       /bin/rm -f ${df}
 }

 try_login()


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages open-iscsi depends on:
ii  libc6                         2.9-26     GNU C Library: Shared libraries

open-iscsi recommends no packages.

open-iscsi suggests no packages.

More information about the Secure-testing-team mailing list