Scientific Linux: 2011:0021 Low: rgmanager Multiple Security Fixes

Date: Thu, 24 Feb 2011 13:46:31 -0600
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Low: rgmanager on SL4.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

Synopsis:	Low: rgmanager security and bug fix update
Issue date:	2011-02-16
CVE Names:	CVE-2008-6552 CVE-2010-3389

Multiple insecure temporary file use flaws were discovered in rgmanager
and various resource scripts run by rgmanager. A local attacker could
use these flaws to overwrite an arbitrary file writable by the rgmanager
process (i.e. user root) with the output of rgmanager or a resource
agent via a symbolic link attack. (CVE-2008-6552)

It was discovered that certain resource agent scripts set the
LD_LIBRARY_PATH environment variable to an insecure value containing
empty path elements. A local user able to trick a user running those
scripts to run them while working from an attacker-writable directory
could use this flaw to escalate their privileges via a specially-crafted
dynamic library. (CVE-2010-3389)

This update also fixes the following bugs:

* Previously, starting threads could incorrectly include a reference to
an exited thread if that thread exited when rgmanager received a request
to start a new thread. Due to this issue, the new thread did not retry
and entered an infinite loop. This update ensures that new threads do
not reference old threads. Now, new threads no longer enter an infinite
loop in which the rgmanager enables and disables services without
failing gracefully. (BZ#502872)

* Previously, nfsclient.sh left temporary nfsclient-status-cache-$$
files in /tmp/. (BZ#506152)

* Previously, the function local_node_name in
/resources/utils/member_util.sh did not correctly check whether
magma_tool failed. Due to this issue, empty strings could be returned.
This update checks the input and rejects empty strings. (BZ#516758)

* Previously, the file system agent could kill a process when an
application used a mount point with a similar name to a mount point
managed by rgmanager using force_unmount. With this update, the file
system agent kills only the processes that access the mount point
managed by rgmanager. (BZ#555901)

* Previously, simultaneous execution of "lvchange --deltag" from
/etc/init.d/rgmanager caused a checksum error on High Availability
Logical Volume Manager (HA-LVM). With this update, ownership of LVM tags
is checked before removing them. (BZ#559582)

* Previously, the isAlive check could fail if two nodes used the same
file name. With this update, the isAlive function prevents two nodes
from using the same file name. (BZ#469815)

* Previously, the S/Lang code could lead to unwanted S/Lang stack leaks
during event processing. (BZ#507430)

SL 4.x

 SRPMS:
rgmanager-1.9.88-2.el4.src.rpm
 i386:
rgmanager-1.9.88-2.el4.i386.rpm
 x86_64:
rgmanager-1.9.88-2.el4.x86_64.rpm

-Connie Sieh
-Troy Dawson
lastline