Scientific Linux Security Update : rgmanager on SL4.x i386/x86_64

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing a security update.

Description :

Multiple insecure temporary file use flaws were discovered in
rgmanager and various resource scripts run by rgmanager. A local
attacker could use these flaws to overwrite an arbitrary file writable
by the rgmanager process (i.e. user root) with the output of rgmanager
or a resource agent via a symbolic link attack. (CVE-2008-6552)

It was discovered that certain resource agent scripts set the
LD_LIBRARY_PATH environment variable to an insecure value containing
empty path elements. A local user able to trick a user running those
scripts to run them while working from an attacker-writable directory
could use this flaw to escalate their privileges via a specially
crafted dynamic library. (CVE-2010-3389)

This update also fixes the following bugs :

- Previously, starting threads could incorrectly include a
reference to an exited thread if that thread exited when
rgmanager received a request to start a new thread. Due
to this issue, the new thread did not retry and entered
an infinite loop. This update ensures that new threads
do not reference old threads. Now, new threads no longer
enter an infinite loop in which the rgmanager enables
and disables services without failing gracefully.
(BZ#502872)

- Previously, nfsclient.sh left temporary
nfsclient-status-cache-$$ files in /tmp/. (BZ#506152)

- Previously, the function local_node_name in
/resources/utils/member_util.sh did not correctly check
whether magma_tool failed. Due to this issue, empty
strings could be returned. This update checks the input
and rejects empty strings. (BZ#516758)

- Previously, the file system agent could kill a process
when an application used a mount point with a similar
name to a mount point managed by rgmanager using
force_unmount. With this update, the file system agent
kills only the processes that access the mount point
managed by rgmanager. (BZ#555901)

- Previously, simultaneous execution of 'lvchange
--deltag' from /etc/init.d/rgmanager caused a checksum
error on High Availability Logical Volume Manager
(HA-LVM). With this update, ownership of LVM tags is
checked before removing them. (BZ#559582)

- Previously, the isAlive check could fail if two nodes
used the same file name. With this update, the isAlive
function prevents two nodes from using the same file
name. (BZ#469815)

- Previously, the S/Lang code could lead to unwanted
S/Lang stack leaks during event processing. (BZ#507430)

See also :

http://www.nessus.org/u?f053de61
https://bugzilla.redhat.com/show_bug.cgi?id=469815
https://bugzilla.redhat.com/show_bug.cgi?id=502872
https://bugzilla.redhat.com/show_bug.cgi?id=506152
https://bugzilla.redhat.com/show_bug.cgi?id=507430
https://bugzilla.redhat.com/show_bug.cgi?id=516758
https://bugzilla.redhat.com/show_bug.cgi?id=555901
https://bugzilla.redhat.com/show_bug.cgi?id=559582

Solution :

Update the affected rgmanager package.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60961 ()

Bugtraq ID:

CVE ID: CVE-2008-6552
CVE-2010-3389