Re: Security issue in hammerhead

[Josh Bressers <bressers () redhat com>]

Please use CVE-2011-3204 for this.

Thanks.

-- 
    JB

----- Original Message -----
> A security bug was reported against hammerhead in Ubuntu. You are
> being
> emailed as the upstream contact. Please keep
> oss-security () lists openwall com[1] CC'd for any updates on this issue.
>
> This issue should be considered public and has not yet been assigned a
> CVE.
>
> Details from the public bug follow:
> https://launchpad.net/bugs/826679
>
> ----
> From the reporter:
>
> "hammerhead blindly writes to to /tmp/hammer.log without prior checks.
> It is possible to put a symbolic link at /tmp/hammer.log pointing at
> another file - that hammerhead will then end up appending data into.
> (it appears that hammerhead uses the file location as specified
> in /etc/hammerhead/hh.conf - which in debian/ubuntu
> is /tmp/hammer.log)."
> ----
>
> A quick check shows that HH_LOG and REPORT_LOG are indeed being
> unconditionally opened with 'fopen(..., "a+")' in src/hammerhead.cc.
>
> Thanks in advance for your cooperation in coordinating a fix for this
> issue,
>
> Jamie Strandboge
>
> [1] oss-security () lists openwall com is a public mailing list for
> people to collaborate on security vulnerabilities and coordinate
> security updates.
>
> PS - I couldn't find a security contact for hammerhead, so emailed to
> those I could find in AUTHORS.
>
> --
> Jamie Strandboge | http://www.canonical.com