Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 20 Sep 2012 15:51:03 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Notification of upstream Condor security fixes

Just an FYI about an upstream Condor release yesterday that fixed a few
security issues:


CVE-2012-3490

Florian Weimer of the Red Hat Product Security Team reported that certain
functions in Condor (my_popenv_impl and my_spawnv in
src/condor_utils/my_popen.cpp) did not check the return value of setuid and
similar function calls. As a result, the subprocess could possibly be created
with root privileges instead of those of the intended user.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491
http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=94e84ce4

NOTE: this flaw is only exploitable if the VMware support is compiled in; see
the Red Hat bug for further details.


CVE-2012-3491

Florian Weimer of the Red Hat Product Security Team discovered that the ability
to abort a job in Condor only required WRITE authorization, instead of a
combination of WRITE authorization and job ownership. This could allow an
authenticated attacker to bypass intended restrictions and abort any idle job
on the system.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491
http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=1fff5d40


CVE-2012-3492

Florian Weimer of the Red Hat Product Security Team discovered that Condor's
file system authentication challenge accepted directories with weak permissions
(for example, world readable, writable and executable permissions). If a user
created a directory with such permissions, a local attacker could rename it,
allowing them to execute jobs with the privileges of the victim user.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492
http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=1db67805


CVE-2012-3493

Florian Weimer of the Red Hat Product Security Team found that an
unauthenticated user able to connect to the Condor startd TCP port could
request ads, provided they could guess or brute force the PID of the process,
due to how the GIVE_REQUEST_AD handler is registered.  The ads contains a lot
of already-public information for users with READ privileges, however it also
provides the ClaimId (as opposed to the PublicClaimId which truncates the full
value of the ClaimID).  If an attacker could obtain the private ClaimId, they
could use it to control the running job, and also start new jobs on the system.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493
http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=d2f33972

Other upstream references:

http://research.cs.wisc.edu/condor/manual/v7.8/9_3Stable_Release.html
http://research.cs.wisc.edu/condor/manual/v7.6/8_3Stable_Release.html

These were fixed in upstream 7.8.4 and 7.6.10.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.