Bug#496410: redhat-cluster tmpfile fixes
here is the patch
ups. second try
diff -u redhat-cluster-2.20080801/debian/changelog redhat-cluster-2.20080801/debian/changelog
--- redhat-cluster-2.20080801/debian/changelog
+++ redhat-cluster-2.20080801/debian/changelog
@@ -1,3 +1,11 @@
+redhat-cluster (2.20080801-4+lenny1) testing-proposed-updates; urgency=low
+
+ * Non-maintainer upload by the security team.
+ * Fix several tmpfile race conditions, among them CVE-2008-4192 and
+ CVE-2008-4579. (Closes: #496410)
+
+ -- Stefan Fritsch <sf@debian.org> Fri, 28 Nov 2008 19:15:39 +0100
+
redhat-cluster (2.20080801-4) unstable; urgency=high
* Add dependency on python-pexpect and install missing fencing
diff -u redhat-cluster-2.20080801/debian/patches/00list redhat-cluster-2.20080801/debian/patches/00list
--- redhat-cluster-2.20080801/debian/patches/00list
+++ redhat-cluster-2.20080801/debian/patches/00list
@@ -3,0 +4 @@
+04_tmpfile_fixes.dpatch
only in patch2:
unchanged:
--- redhat-cluster-2.20080801.orig/debian/rgmanager.dirs
+++ redhat-cluster-2.20080801/debian/rgmanager.dirs
@@ -0,0 +1 @@
+var/log/cluster
only in patch2:
unchanged:
--- redhat-cluster-2.20080801.orig/debian/cman.dirs
+++ redhat-cluster-2.20080801/debian/cman.dirs
@@ -0,0 +1 @@
+var/log/cluster
only in patch2:
unchanged:
--- redhat-cluster-2.20080801.orig/debian/patches/04_tmpfile_fixes.dpatch
+++ redhat-cluster-2.20080801/debian/patches/04_tmpfile_fixes.dpatch
@@ -0,0 +1,456 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport various tmpfile fixes from upstream git
+
+@DPATCH@
+diff --git a/ccs/ccs_tool/upgrade.c b/ccs/ccs_tool/upgrade.c
+index a8a2314..b7cecf0 100644
+--- a/ccs/ccs_tool/upgrade.c
++++ b/ccs/ccs_tool/upgrade.c
+@@ -182,7 +182,7 @@ static void ccs_dh_in(ccs_dh_t *dh, char *buf){
+ static int upgrade_device_archive(char *location){
+ int error = 0;
+ int dev_fd=-1, tmp_fd=-1;
+- char tmp_file[64];
++ char tmp_file[128];
+ void *buffer = NULL;
+ char *buffer_p;
+ ccs_dh_t dev_header;
+@@ -220,9 +220,10 @@ static int upgrade_device_archive(char *location){
+ goto fail;
+ }
+
+- sprintf(tmp_file, "/tmp/tmp_%d", getpid());
++ memset(tmp_file, 0, 128);
++ sprintf(tmp_file, "/tmp/ccs_tool_tmp_XXXXXX");
+
+- tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR);
++ tmp_fd = mkostemp(tmp_file, O_RDWR | O_CREAT |O_TRUNC);
+ if(tmp_fd < 0){
+ fprintf(stderr, "Unable to create temporary archive: %s\n", strerror(errno));
+ error = -errno;
+diff --git a/fence/agents/apc_snmp/fence_apc_snmp.py b/fence/agents/apc_snmp/fence_apc_snmp.py
+index b635193..dad1dc2 100644
+--- a/fence/agents/apc_snmp/fence_apc_snmp.py
++++ b/fence/agents/apc_snmp/fence_apc_snmp.py
+@@ -216,7 +216,7 @@ def usage():
+ print " -c <community> SNMP community (default 'private')"
+ print " -n <num> Outlet name/number to act on"
+ print " -o <string> Action: Reboot (default), On, Off and Status"
+- print " -v Verbose mode - write to /tmp/apclog"
++ print " -v Verbose mode - write to /var/log/cluster/fence_apc_snmp.log"
+ print " -V Version"
+
+ sys.exit(0)
+@@ -227,7 +227,7 @@ file_log = None
+ def set_logging(verbose):
+ global file_log
+ if verbose:
+- file_log = open('/tmp/apclog', 'a')
++ file_log = open('/var/log/cluster/fence_apc_snmp.log', 'a')
+ file_log.write('\n----------- ')
+ file_log.write(datetime.datetime.today().ctime())
+ file_log.write(' -----------\n')
+diff --git a/fence/agents/egenera/fence_egenera.pl b/fence/agents/egenera/fence_egenera.pl
+index 6970a13..e852a45 100644
+--- a/fence/agents/egenera/fence_egenera.pl
++++ b/fence/agents/egenera/fence_egenera.pl
+@@ -284,7 +284,7 @@ sub pserver_shutdown
+ {
+ my $rtrn=1;
+ local *egen_log;
+- open(egen_log,">/tmp/eglog");
++ open(egen_log,">>/var/log/cluster/fence_egenera.log");
+ for (my $trys=0; $trys<20; $trys++)
+ {
+ last if (pserver_status != 0);
+diff --git a/fence/agents/vmware/fence_vmware.pl b/fence/agents/vmware/fence_vmware.pl
+index 9769d15..6f6f78b 100644
+--- a/fence/agents/vmware/fence_vmware.pl
++++ b/fence/agents/vmware/fence_vmware.pl
+@@ -14,13 +14,13 @@ s/.*\///;
+ my $pname = $_;
+
+ # Change these if the text returned by your equipment is different.
+-# Test by running script with options -t -v and checking /tmp/vmlog
++# Test by running script with options -t -v and checking /var/log/cluster/apclog
+
+ my $immediate = 'immediate'; # # Or 'delayed' - action string prefix on menu
+
+ my $max_open_tries = 3; # How many attempts to make.
+ my $open_wait = 5; # Seconds to wait between each attempt
+-my $debuglog = '/tmp/apclog';# Location of debugging log when in verbose mode
++my $debuglog = '/var/log/cluster/vmlog';# Location of debugging log when in verbose mode
+ my $powerop_mode = VM_POWEROP_MODE_HARD;
+ $opt_o = 'Reboot'; # Default fence action.
+
+@@ -53,7 +53,7 @@ sub usage
+ print " -q quiet mode\n";
+ print " -T Test mode (cancels action)\n";
+ print " -V version\n";
+- print " -v Log to file /tmp/vmlog\n";
++ print " -v Log to file /var/log/cluster/vmlog\n";
+ print " -L List VMs on Server\n";
+
+ exit 0;
+diff --git a/fence/man/fence_apc.8 b/fence/man/fence_apc.8
+index 59676c9..b14378e 100644
+--- a/fence/man/fence_apc.8
++++ b/fence/man/fence_apc.8
+@@ -47,7 +47,7 @@ Full path to an executable to generate the password for login.
+ Test only. Answer NO to the confirmation prompt instead of YES.
+ .TP
+ \fB-v\fP
+-Verbose. Record telnet session in /tmp/apclog.
++Verbose.
+ .TP
+ \fB-V\fP
+ Print out a version message, then exit.
+@@ -82,7 +82,7 @@ The switch to operate on. Defaults to "1" if not specified.
+ Test only. Answer NO to the confirmation prompt instead of YES.
+ .TP
+ \fIverbose = < param >\fR
+-Verbose. Record telnet session in /tmp/apclog.
++Verbose.
+
+ .SH SEE ALSO
+ fence(8), fence_node(8)
+diff --git a/gfs2/edit/hexedit.c b/gfs2/edit/hexedit.c
+index 534d8cb..6ee9bab 100644
+--- a/gfs2/edit/hexedit.c
++++ b/gfs2/edit/hexedit.c
+@@ -33,7 +33,7 @@ int display(int identify_only);
+ extern void eol(int col);
+ extern void do_leaf_extended(char *buf, struct iinfo *indir);
+ extern int do_indirect_extended(char *buf, struct iinfo *ii);
+-extern void savemeta(const char *out_fn, int slow);
++extern void savemeta(char *out_fn, int slow);
+ extern void restoremeta(const char *in_fn, const char *out_device,
+ int printblocksonly);
+
+diff --git a/gfs2/edit/savemeta.c b/gfs2/edit/savemeta.c
+index 693ac0f..901d28c 100644
+--- a/gfs2/edit/savemeta.c
++++ b/gfs2/edit/savemeta.c
+@@ -24,7 +24,7 @@
+ #include "libgfs2.h"
+
+ #define BUFSIZE (4096)
+-#define DFT_SAVE_FILE "/tmp/gfsmeta"
++#define DFT_SAVE_FILE "/tmp/gfsmeta.XXXXXX"
+ #define MAX_JOURNALS_SAVED 256
+
+ struct saved_metablock {
+@@ -714,7 +714,7 @@ void get_journal_inode_blocks(void)
+ }
+ }
+
+-void savemeta(const char *out_fn, int saveoption)
++void savemeta(char *out_fn, int saveoption)
+ {
+ int out_fd;
+ int slow;
+@@ -727,9 +727,14 @@ void savemeta(const char *out_fn, int saveoption)
+ slow = (saveoption == 1);
+ sbd.md.journals = 1;
+
+- if (!out_fn)
+- out_fn = DFT_SAVE_FILE;
+- out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
++ if (!out_fn) {
++ out_fn = strdup(DFT_SAVE_FILE);
++ if (!out_fn)
++ die("Can't allocate memory for the operation.\n");
++ out_fd = mkstemp(out_fn);
++ } else
++ out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
++
+ if (out_fd < 0)
+ die("Can't open %s: %s\n", out_fn, strerror(errno));
+
+diff --git a/gfs2/libgfs2/misc.c b/gfs2/libgfs2/misc.c
+index daef2f3..813738b 100644
+--- a/gfs2/libgfs2/misc.c
++++ b/gfs2/libgfs2/misc.c
+@@ -217,12 +217,9 @@ mount_gfs2_meta(struct gfs2_sbd *sdp)
+ {
+ int ret;
+ /* mount the meta fs */
+- strcpy(sdp->metafs_path, "/tmp/.gfs2meta");
+- if (!dir_exists(sdp->metafs_path)) {
+- ret = mkdir(sdp->metafs_path, 0700);
+- if (ret)
+- die("Couldn't create %s : %s\n", sdp->metafs_path,
+- strerror(errno));
++ snprintf(sdp->metafs_path, PATH_MAX - 1, "/tmp/.gfs2meta.XXXXXX");
++ if (!mkdtemp(sdp->metafs_path)) {
++ die("Couldn't create %s : %s\n", sdp->metafs_path, strerror(errno));
+ }
+
+ ret = mount(sdp->device_name, sdp->metafs_path, "gfs2meta", 0, NULL);
+@@ -266,6 +263,7 @@ cleanup_metafs(struct gfs2_sbd *sdp)
+ if (ret)
+ fprintf(stderr, "Couldn't unmount %s : %s\n",
+ sdp->metafs_path, strerror(errno));
++ rmdir(sdp->metafs_path);
+ }
+ }
+
+diff --git a/gfs2/tool/misc.c b/gfs2/tool/misc.c
+index 0882b49..7432ea1 100644
+--- a/gfs2/tool/misc.c
++++ b/gfs2/tool/misc.c
+@@ -102,27 +102,26 @@ print_lockdump(int argc, char **argv)
+ char *name, line[PATH_MAX];
+ char *debugfs;
+ FILE *file;
+- int rc = -1, debug_dir_existed = 1;
++ int rc = -1;
+
+ /* See if debugfs is mounted, and if not, mount it. */
+ debugfs = find_debugfs_mount();
+ if (!debugfs) {
+- debugfs = malloc(20);
++ debugfs = malloc(PATH_MAX);
+ if (!debugfs)
+ die("Can't allocate memory for debugfs.\n");
+- memset(debugfs, 0, 20);
+- strcpy(debugfs, "/tmp/debugfs");
+-
+- if (access(debugfs, F_OK)) {
+- debug_dir_existed = mkdir(debugfs, 644);
+- if (debug_dir_existed) {
+- fprintf(stderr,
+- "Can't create %s mount point.\n",
+- debugfs);
+- free(debugfs);
+- exit(-1);
+- }
++
++ memset(debugfs, 0, PATH_MAX);
++ sprintf(debugfs, "/tmp/debugfs.XXXXXX");
++
++ if (!mkdtemp(debugfs)) {
++ fprintf(stderr,
++ "Can't create %s mount point.\n",
++ debugfs);
++ free(debugfs);
++ exit(-1);
+ }
++
+ rc = mount("none", debugfs, "debugfs", 0, NULL);
+ if (rc) {
+ fprintf(stderr,
+@@ -153,10 +152,7 @@ print_lockdump(int argc, char **argv)
+ /* Check if we mounted the debugfs and if so, unmount it. */
+ if (!rc) {
+ umount(debugfs);
+- /* Check if we created the debugfs mount point and if so,
+- delete it. */
+- if (!debug_dir_existed)
+- rmdir(debugfs);
++ rmdir(debugfs);
+ }
+ free(debugfs);
+ }
+diff --git a/rgmanager/src/daemons/main.c b/rgmanager/src/daemons/main.c
+index 9c4f842..5909162 100644
+--- a/rgmanager/src/daemons/main.c
++++ b/rgmanager/src/daemons/main.c
+@@ -703,8 +703,8 @@ event_loop(msgctx_t *localctx, msgctx_t *clusterctx)
+
+ if (signalled) {
+ signalled = 0;
+-
+- dump_internal_state("/tmp/rgmanager-dump");
++
++ dump_internal_state("/var/lib/cluster/rgmanager-dump");
+ }
+
+ while (running && (tv.tv_sec || tv.tv_usec)) {
+diff --git a/rgmanager/src/resources/ASEHAagent.sh b/rgmanager/src/resources/ASEHAagent.sh
+index 4f709e9..4c906a9 100644
+--- a/rgmanager/src/resources/ASEHAagent.sh
++++ b/rgmanager/src/resources/ASEHAagent.sh
+@@ -781,8 +781,8 @@ deep_probe()
+ ocf_log debug "ASEHAagent: Start 'deep_probe'."
+
+ # Declare two temporary files which will be used in this probe.
+- tmpfile1="/tmp/ASEHAagent.1"
+- tmpfile2="/tmp/ASEHAagent.2"
++ tmpfile1="$(mktemp /tmp/ASEHAagent.1.XXXXXX)"
++ tmpfile2="$(mktemp /tmp/ASEHAagent.2.XXXXXX)"
+
+ # Get the login_string by analyzing the login_file.
+ get_login_string
+@@ -794,6 +794,7 @@ deep_probe()
+ fi
+
+ rm -f $tmpfile1
++ rm -f $tmpfile2
+
+ # The login file is correct. We have gotten the login account and password from it.
+ # Run isql command in background.
+@@ -842,11 +843,17 @@ EOF
+ # Read the process id of isql process from tmpfile2
+ pid=`cat $tmpfile2 | awk '{print $1}'`
+
++ rm -f $tmpfile1
++ rm -f $tmpfile2
++
+ # Kill the isql process directly.
+ kill -9 $pid
+ return 1
+ fi
+
++ rm -f $tmpfile1
++ rm -f $tmpfile2
++
+ ocf_log debug "ASEHAagent: End 'deep_probe'."
+
+ return 0
+diff --git a/rgmanager/src/resources/SAPDatabase b/rgmanager/src/resources/SAPDatabase
+index 5e2aa83..9915640 100644
+--- a/rgmanager/src/resources/SAPDatabase
++++ b/rgmanager/src/resources/SAPDatabase
+@@ -553,7 +553,7 @@ then
+ fi
+
+ # Set a tempfile and make sure to clean it up again
+-TEMPFILE="/tmp/SAPDatabase.tmp"
++TEMPFILE="$(mktemp /tmp/SAPDatabase.tmp.XXXXXX)"
+ trap trap_handler INT TERM
+
+ # These operations don't require OCF instance parameters to be set
+diff --git a/rgmanager/src/resources/fs.sh b/rgmanager/src/resources/fs.sh
+index 6d82698..0edf203 100644
+--- a/rgmanager/src/resources/fs.sh
++++ b/rgmanager/src/resources/fs.sh
+@@ -1028,7 +1028,7 @@ Unknown file system type '$fstype' for device $dev. Assuming fsck is required."
+ #
+ if [ -n "$fsck_needed" ] || [ "${OCF_RESKEY_force_fsck}" = "yes" ] ||\
+ [ "${OCF_RESKEY_force_fsck}" = "1" ]; then
+- typeset fsck_log=/tmp/$(basename $dev).fsck.log
++ typeset fsck_log=/var/log/cluster/$(basename $dev).fsck.log
+ ocf_log debug "Running fsck on $dev"
+ fsck -p $dev >> $fsck_log 2>&1
+ ret_val=$?
+diff --git a/rgmanager/src/resources/lvm_by_vg.sh b/rgmanager/src/resources/lvm_by_vg.sh
+index 31cd404..0c1bf0b 100644
+--- a/rgmanager/src/resources/lvm_by_vg.sh
++++ b/rgmanager/src/resources/lvm_by_vg.sh
+@@ -155,7 +155,7 @@ function vg_start
+ esac
+
+ if ! strip_and_add_tag ||
+- ! vgchange -ay $OCF_RESKEY_vg_name -vvvv >& /tmp/butt; then
++ ! vgchange -ay $OCF_RESKEY_vg_name; then
+ ocf_log err "Failed to activate volume group, $OCF_RESKEY_vg_name"
+ ocf_log notice "Attempting cleanup of $OCF_RESKEY_vg_name"
+
+diff --git a/rgmanager/src/resources/oracledb.sh b/rgmanager/src/resources/oracledb.sh
+index d018267..ce55f72 100644
+--- a/rgmanager/src/resources/oracledb.sh
++++ b/rgmanager/src/resources/oracledb.sh
+@@ -250,8 +250,8 @@ start_db()
+ declare logfile
+ declare -i rv
+
+- tmpfile=/tmp/$SCRIPT-start.$$
+- logfile=/tmp/$SCRIPT-start.log
++ tmpfile="$(mktemp /tmp/$SCRIPT-start.XXXXXX)"
++ logfile=/var/log/cluster/$SCRIPT-start.log
+
+ #
+ # Set up our sqlplus script. Basically, we're trying to
+@@ -264,9 +264,11 @@ start_db()
+ sqlplus "/ as sysdba" < $tmpfile &> $logfile
+ rv=$?
+
++ rm -f $tmpfile
++
+ # Dump logfile to /var/log/messages
+ initlog -q -c "cat $logfile"
+-
++
+ if [ $rv -ne 0 ]; then
+ echo "ORACLE_HOME Incorrectly set?"
+ echo "See $logfile for more information."
+@@ -278,10 +280,8 @@ start_db()
+ # ORA-.....: failure, we failed
+ #
+
+- rm -f $tmpfile
+ grep -q "failure" $logfile
+ if [ $? -eq 0 ]; then
+- rm -f $tmpfile
+ echo "ORACLE_SID Incorrectly set?"
+ echo "See $logfile for more information."
+ return 1
+@@ -300,8 +300,8 @@ stop_db()
+ declare logfile
+ declare -i rv
+
+- tmpfile=/tmp/$SCRIPT-stop.$$
+- logfile=/tmp/$SCRIPT-stop.log
++ tmpfile="$(mktemp /tmp/$SCRIPT-stop.XXXXXX)"
++ logfile=/var/log/cluster/$SCRIPT-stop.log
+
+ # Setup for Stop ...
+ echo "shutdown abort" > $tmpfile
+@@ -310,9 +310,11 @@ stop_db()
+ sqlplus "/ as sysdba" < $tmpfile &> $logfile
+ rv=$?
+
++ rm -f $tmpfile
++
+ # Dump logfile to /var/log/messages
+ initlog -q -c "cat $logfile"
+-
++
+ if [ $rv -ne 0 ]; then
+ echo "ORACLE_HOME Incorrectly set?"
+ echo "See $logfile for more information."
+@@ -322,7 +324,6 @@ stop_db()
+ #
+ # If we see 'failure' in the log, we're done.
+ #
+- rm -f $tmpfile
+ grep -q failure $logfile
+ if [ $? -eq 0 ]; then
+ echo_failure
+diff --git a/rgmanager/src/resources/smb.sh b/rgmanager/src/resources/smb.sh
+index 73087c1..ddc5f58 100644
+--- a/rgmanager/src/resources/smb.sh
++++ b/rgmanager/src/resources/smb.sh
+@@ -326,7 +326,7 @@ add_sha1()
+
+ verify_sha1()
+ {
+- declare tmpfile="/tmp/smb-$OCF_RESKEY_name.tmp.$$"
++ declare tmpfile="$(mktemp /tmp/smb-${OCF_RESKEY}_name.tmp.XXXXXX)"
+ declare current exp
+
+ exp=$(grep "^# rgmanager-sha1.*$1" "$1" | head -1)
+diff --git a/rgmanager/src/resources/svclib_nfslock b/rgmanager/src/resources/svclib_nfslock
+index 9cf74d5..f69a57c 100644
+--- a/rgmanager/src/resources/svclib_nfslock
++++ b/rgmanager/src/resources/svclib_nfslock
+@@ -19,7 +19,7 @@
+ #
+ nfslock_statd_notify()
+ {
+- declare tmpdir=/tmp/statd-$2.$$
++ declare tmpdir=$(mktemp -d /tmp/statd-$2.XXXXXX)
+ declare nl_dir=$1
+ declare nl_ip=$2
+ declare command # Work around bugs in rpc.statd
+@@ -37,7 +37,6 @@ nfslock_statd_notify()
+ fi
+
+ # Ok, copy the HA directory to something we can use.
+- rm -rf $tmpdir
+ mkdir -p $tmpdir/sm
+
+ # Copy in our specified entries
Reply to: