Bug 1146691

Summary: AUDIT-FIND: resource-agents: Predictable log file in /tmp in mariadb.in
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Peter Varkoly <varkoly>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: emiura, filippo.bonazzi, gabriele.sonnu, mrey, rfrohl, stoyan.manolov, varkoly
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1021689    

Description Johannes Segitz 2019-08-21 14:53:09 UTC 
resource-agents-4.3.018.a7fb5035/heartbeat/mariadb.in
 994 ##########################################################################
 995 # If DEBUG_LOG is set, make this resource agent easy to debug: set up the
 996 # debug log and direct all output to it.  Otherwise, redirect to /dev/null.
 997 # The log directory must be a directory owned by root, with permissions 0700,
 998 # and the log must be writable and not a symlink.
 999 ##########################################################################
1000 DEBUG_LOG="/tmp/mysql.ocf.ra.debug/log"
1001 if [ "${DEBUG_LOG}" -a -w "${DEBUG_LOG}" -a ! -L "${DEBUG_LOG}" ]; then

The recommendation in the comment is not enforced. The if statement provides some protection here, but this is still not great. Please either log to one of the usual directories or create a proper temporary directory and ensure good permissions.
Comment 1 Johannes Segitz 2020-03-18 10:39:49 UTC 
Was removed in https://github.com/ClusterLabs/resource-agents/pull/1191/commits/8d2705d4991fc3d82e01ce8cffaa44976c9f5e75
Please submit this for our packages
Comment 2 Peter Varkoly 2020-03-19 07:22:16 UTC 
Fixed an in the version 4.1.1+git165.1ddbf85d. Factory and SLE15-SP2 contains this fix.
Comment 6 Swamp Workflow Management 2020-04-23 19:32:24 UTC 
SUSE-SU-2020:1090-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    resource-agents-4.3.0184.6ee15eb2-3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-04-23 19:34:54 UTC 
SUSE-SU-2020:1089-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    resource-agents-4.3.0184.6ee15eb2-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-04-23 19:36:30 UTC 
SUSE-SU-2020:1092-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146776,1146784,1146785,1146787,1146789,1161898
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP3 (src):    resource-agents-4.0.1+git.1495055229.643177f1-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-04-23 19:38:09 UTC 
SUSE-SU-2020:1091-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1146789
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP5 (src):    resource-agents-4.3.018.a7fb5035-3.42.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    resource-agents-4.3.018.a7fb5035-3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-05-01 22:37:51 UTC 
openSUSE-SU-2020:0585-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    resource-agents-4.3.0184.6ee15eb2-lp151.3.18.1
Comment 14 Ednilson Miura 2022-06-13 14:52:52 UTC 
before update:
# rpm -q resource-agents
resource-agents-4.4.0+git57.70549516-3.46.1.x86_64
# grep DEBUG_LOG /usr/lib/ocf/resource.d/heartbeat/mariadb 
# If DEBUG_LOG is set, make this resource agent easy to debug: set up the
DEBUG_LOG="/tmp/mysql.ocf.ra.debug/log"
if [ "${DEBUG_LOG}" -a -w "${DEBUG_LOG}" -a ! -L "${DEBUG_LOG}" ]; then
    DEBUG_LOG_DIR="${DEBUG_LOG%/*}"
    if [ -d "${DEBUG_LOG_DIR}" ]; then
        exec 9>>"$DEBUG_LOG"

after update:
# rpm -q resource-agents
resource-agents-4.4.0+git57.70549516-150200.3.51.1.x86_64
# grep DEBUG_LOG /usr/lib/ocf/resource.d/heartbeat/mariadb 
# If DEBUG_LOG is set, make this resource agent easy to debug: set up the
DEBUG_LOG="/tmp/mysql.ocf.ra.debug/log"
if [ "${DEBUG_LOG}" -a -w "${DEBUG_LOG}" -a ! -L "${DEBUG_LOG}" ]; then
    DEBUG_LOG_DIR="${DEBUG_LOG%/*}"
    if [ -d "${DEBUG_LOG_DIR}" ]; then
        exec 9>>"$DEBUG_LOG"

Issue not fixed.
Comment 15 Gabriele Sonnu 2022-06-13 15:14:51 UTC 
@Peter can you have a look at this?
Comment 16 Robert Frohl 2022-07-06 09:39:13 UTC 
(In reply to Gabriele Sonnu from comment #15)
> @Peter can you have a look at this?

new round of pending submissions, lets see if it is resolved
Comment 18 Swamp Workflow Management 2022-07-07 16:16:00 UTC 
SUSE-SU-2022:2325-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1146691,1196164,1197956,1199766
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    resource-agents-4.10.0+git40.0f4de473-150400.3.7.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    resource-agents-4.10.0+git40.0f4de473-150400.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-07-07 16:16:47 UTC 
SUSE-SU-2022:2326-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1146691,1196164,1199766
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    resource-agents-4.8.0+git30.d0077df0-150300.8.28.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    resource-agents-4.8.0+git30.d0077df0-150300.8.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-07-08 13:16:23 UTC 
SUSE-SU-2022:2336-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1146691
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    resource-agents-4.3.0184.6ee15eb2-150100.4.66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-07-08 13:17:07 UTC 
SUSE-SU-2022:2337-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1196164,1197956,1199766
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP2 (src):    resource-agents-4.4.0+git57.70549516-150200.3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-07-08 13:18:21 UTC 
SUSE-SU-2022:2335-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1146691
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP5 (src):    resource-agents-4.3.018.a7fb5035-3.92.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    resource-agents-4.3.018.a7fb5035-3.92.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Peter Varkoly 2022-08-10 07:17:37 UTC 
Ready to close
Comment 24 Filippo Bonazzi 2022-12-12 11:10:39 UTC 
Is this fixed? Can this be closed?
Comment 25 Filippo Bonazzi 2023-01-09 09:07:07 UTC 
Fixed