Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Sep 2012 15:51:03 -0600
From: Vincent Danen <>
Subject: Notification of upstream Condor security fixes

Just an FYI about an upstream Condor release yesterday that fixed a few
security issues:


Florian Weimer of the Red Hat Product Security Team reported that certain
functions in Condor (my_popenv_impl and my_spawnv in
src/condor_utils/my_popen.cpp) did not check the return value of setuid and
similar function calls. As a result, the subprocess could possibly be created
with root privileges instead of those of the intended user.;a=commitdiff;h=94e84ce4

NOTE: this flaw is only exploitable if the VMware support is compiled in; see
the Red Hat bug for further details.


Florian Weimer of the Red Hat Product Security Team discovered that the ability
to abort a job in Condor only required WRITE authorization, instead of a
combination of WRITE authorization and job ownership. This could allow an
authenticated attacker to bypass intended restrictions and abort any idle job
on the system.;a=commitdiff;h=1fff5d40


Florian Weimer of the Red Hat Product Security Team discovered that Condor's
file system authentication challenge accepted directories with weak permissions
(for example, world readable, writable and executable permissions). If a user
created a directory with such permissions, a local attacker could rename it,
allowing them to execute jobs with the privileges of the victim user.;a=commitdiff;h=1db67805


Florian Weimer of the Red Hat Product Security Team found that an
unauthenticated user able to connect to the Condor startd TCP port could
request ads, provided they could guess or brute force the PID of the process,
due to how the GIVE_REQUEST_AD handler is registered.  The ads contains a lot
of already-public information for users with READ privileges, however it also
provides the ClaimId (as opposed to the PublicClaimId which truncates the full
value of the ClaimID).  If an attacker could obtain the private ClaimId, they
could use it to control the running job, and also start new jobs on the system.;a=commitdiff;h=d2f33972

Other upstream references:

These were fixed in upstream 7.8.4 and 7.6.10.

Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.