Joined: 12 May 2004
|Posted: Wed Jun 02, 2010 1:26 am Post subject: [ GLSA 201006-10 ] multipath-tools: World-writeable socket
|Gentoo Linux Security Advisory
Title: multipath-tools: World-writeable socket (GLSA 201006-10)
Date: June 01, 2010
multipath-tools does not set correct permissions on the socket file, making
it possible to send arbitrary commands to the multipath daemon for local
multipath-tools are used to drive the Device Mapper multipathing
Vulnerable: < 0.4.8-r1
Unaffected: >= 0.4.8-r1
Architectures: All supported architectures
multipath-tools uses world-writable permissions for the socket file
Local users could send arbitrary commands to the multipath daemon,
causing cluster failures and data loss.
chmod o-rwx /var/run/multipath.sock
All multipath-tools users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.4.8-r1"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since November 13, 2009. It is likely that your system is
already no longer affected by this issue.