Date: Thu, 20 Sep 2012 15:51:03 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: Notification of upstream Condor security fixes Just an FYI about an upstream Condor release yesterday that fixed a few security issues: CVE-2012-3490 Florian Weimer of the Red Hat Product Security Team reported that certain functions in Condor (my_popenv_impl and my_spawnv in src/condor_utils/my_popen.cpp) did not check the return value of setuid and similar function calls. As a result, the subprocess could possibly be created with root privileges instead of those of the intended user. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491 http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=94e84ce4 NOTE: this flaw is only exploitable if the VMware support is compiled in; see the Red Hat bug for further details. CVE-2012-3491 Florian Weimer of the Red Hat Product Security Team discovered that the ability to abort a job in Condor only required WRITE authorization, instead of a combination of WRITE authorization and job ownership. This could allow an authenticated attacker to bypass intended restrictions and abort any idle job on the system. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491 http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=1fff5d40 CVE-2012-3492 Florian Weimer of the Red Hat Product Security Team discovered that Condor's file system authentication challenge accepted directories with weak permissions (for example, world readable, writable and executable permissions). If a user created a directory with such permissions, a local attacker could rename it, allowing them to execute jobs with the privileges of the victim user. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492 http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=1db67805 CVE-2012-3493 Florian Weimer of the Red Hat Product Security Team found that an unauthenticated user able to connect to the Condor startd TCP port could request ads, provided they could guess or brute force the PID of the process, due to how the GIVE_REQUEST_AD handler is registered. The ads contains a lot of already-public information for users with READ privileges, however it also provides the ClaimId (as opposed to the PublicClaimId which truncates the full value of the ClaimID). If an attacker could obtain the private ClaimId, they could use it to control the running job, and also start new jobs on the system. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493 http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=d2f33972 Other upstream references: http://research.cs.wisc.edu/condor/manual/v7.8/9_3Stable_Release.html http://research.cs.wisc.edu/condor/manual/v7.6/8_3Stable_Release.html These were fixed in upstream 7.8.4 and 7.6.10. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ