GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Jun 02, 2010 1:26 am Post subject: [ GLSA 201006-10 ] multipath-tools: World-writeable socket |
 |
|
Gentoo Linux Security Advisory
Title: multipath-tools: World-writeable socket (GLSA 201006-10)
Severity: normal
Exploitable: local
Date: June 01, 2010
Bug(s): #264564
ID: 201006-10
Synopsis
multipath-tools does not set correct permissions on the socket file, making
it possible to send arbitrary commands to the multipath daemon for local
users.
Background
multipath-tools are used to drive the Device Mapper multipathing
driver.
Affected Packages
Package: sys-fs/multipath-tools
Vulnerable: < 0.4.8-r1
Unaffected: >= 0.4.8-r1
Architectures: All supported architectures
Description
multipath-tools uses world-writable permissions for the socket file
(/var/run/multipathd.sock).
Impact
Local users could send arbitrary commands to the multipath daemon,
causing cluster failures and data loss.
Workaround
chmod o-rwx /var/run/multipath.sock
Resolution
All multipath-tools users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.4.8-r1" |
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since November 13, 2009. It is likely that your system is
already no longer affected by this issue.
References
CVE-2009-0115 |
|
News & Announcements
