Bugzilla – Bug 528711
VUL-0: CVE-2009-1297: open-iscsi: security issue in open-iscsi
Last modified: 2021-08-11 08:59:22 UTC
Hi. There is a security bug in 'open-iscsi'. This information is from 'vendor-sec'. This bug is NOT PUBLIC. The coordinated release date (CRD) is: 2009-08-11 More information can be found here: https://launchpad/bugs/408915 Original posting: ----- Forwarded message from Kees Cook <kees@ubuntu.com> ----- Date: Wed, 5 Aug 2009 08:10:10 -0700 From: Kees Cook <kees@ubuntu.com> To: Dan Bar Dov <danb@voltaire.com> Cc: vendor-sec@lst.de, Colin Watson <cjwatson@canonical.com> Subject: [vendor-sec] Embargoed security issue in open-iscsi Errors-To: vendor-sec-admin@lst.de Hi, A private security bug was reported against open-iscsi in Ubuntu. You are being emailed as the upstream contact. Please keep vendor-sec[1] CC'd for any updates on this issue. This issue is embargoed and has not been disclosed publicly. We are requesting a coordinated release date (CRD) of 2009-08-11 14:00 UTC. We ask that you keep this issue embargoed until the CRD[2]. If you or members of vendor-sec do not request another date, Ubuntu will make this bug public on the CRD. Colin Watson reported the following bug: https://launchpad/bugs/408915 The iscsi_discovery shell script, typically run as root, contains the following code: df=/tmp/discovered.$$ dbg "starting discovery to $ip" iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df} This is a standard security vulnerability and should be replaced by use of mktemp or shell variables. The proposed patch is attached. Thanks in advance for your cooperation in coordinating a fix for this issue, -Kees [1] vendor-sec is a private mailing list for distributors of operating systems to collaborate on security vulnerabilities and coordinate security updates. Discussions on vendor-sec are considered private and should not be made public, though the result of the discussions may be made public after the coordinated release date. [2] Please do not release a fix, make public revision control commits, comment in public bug reports or otherwise disclose information about this issue until the coordinated release date. This gives all affected parties a chance to release a fix at the same time. -- Kees Cook Ubuntu Security Team diff -u open-iscsi-2.0.870.1/utils/iscsi_discovery open-iscsi-2.0.870.1/utils/iscsi_discovery --- open-iscsi-2.0.870.1/utils/iscsi_discovery +++ open-iscsi-2.0.870.1/utils/iscsi_discovery @@ -128,24 +128,22 @@ connected=0 discovered=0 - df=/tmp/discovered.$$ dbg "starting discovery to $ip" - iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df} - while read portal target + disc="$(iscsiadm -m discovery --type sendtargets --portal ${ip}:${port})" + echo "${disc}" | while read portal target do portal=${portal%,*} select_transport - done < ${df} + done - discovered=$(cat ${df} | wc -l) + discovered=$(echo "${disc}" | wc -l) if [ ${discovered} = 0 ]; then echo "failed to discover targets at ${ip}" exit 2 else echo "discovered ${discovered} targets at ${ip}" fi - /bin/rm -f ${df} } try_login() ----- End forwarded message ----- -- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Hamming's Motto: The purpose of computing is insight, not numbers. -- Richard W. Hamming
The SWAMPID for this issue is 26348. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/26348)
Which dists need update so I can submit PIs?
Updated open-iscsi rpm submitted for SLES11.
SLES11 rpm can be used as-is for OpenSUSE 11.1, too. Updated rpm submitted for OpenSUSE 11.0 and 10.3. Reassigning back to security for follow-up.
Ach, I was wrong. SLES10 is also affected.
CVE-2009-1297
Ok, so we have SEL10 and SLE11 and 10.3-11.1? If SLE11 can be used for 11.1, it still needs to be put to the 11.1 subdir separately AFAIK
Updated open-iscsi rpm submitted for SLES10 SP2 and OpenSUSE 11.1.
We also need a package submission for sles10-sp3 if the packages were not already there. Thanks!
patch seems to be there: /work/SRC/old-versions/10.1/SLE-SP3/all/open-iscsi/open-iscsi.changes
Update released for: open-iscsi Products: SLE-DEBUGINFO 10-SP2 (i386, ia64, ppc, s390x, x86_64) SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Update released for: open-iscsi, open-iscsi-debuginfo, open-iscsi-debugsource Products: openSUSE 10.3 (i386, ppc, x86_64) openSUSE 11.0 (debug, i386, ppc, x86_64) openSUSE 11.1 (debug, i586, ppc, x86_64)
released
Update released for: open-iscsi Products: SLE-RT 10-SP2 (i386, x86_64)
openSUSE-RU-2013:1172-1: An update that has 45 recommended fixes can now be installed. Category: recommended (low) Bug References: 435689,455995,466846,471475,514273,519402,528711,541882,541892,561596,562030,565116,576601,581259,589064,590531,595629,596627,603382,608224,617883,687392,708261,711953,713975,715071,718014,722268,726708,727415,728095,730157,731216,732634,732798,738040,742430,742570,751056,769125,807936,810208,818517,820881,821695 CVE References: Sources used: openSUSE 12.3 (src): open-iscsi-2.0.873-47.14.1