Re: tgtd buffer overflow and command injection vulnerabilities

["Hullinger, Jason (Cloud Services)" <jason.hullinger@hp.com>]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

Hi,

Thanks for the clarification, and I see you are using a domain socket at
/var/run/tgtd.ipc_abstract_namespace.X Since the overflow occurs in a
function that is expected to do arbitrary commands it's sort of redundant
as a security issue. It is a bug though and will cause the process to
break so it should still be fixed.

Thanks,

Jason Hullinger

On 6/14/14, 6:29 AM, "FUJITA Tomonori" <fujita.tomonori@lab.ntt.co.jp>
wrote:

>Sorry about the delay,
>
>On Tue, 10 Jun 2014 19:17:35 +0000
>"Hullinger, Jason (Cloud Services)" <jason.hullinger@hp.com> wrote:
>
>> The function call_program in the tgtd daemon includes a callback
>>function
>> that will run arbitrary commands. Additionally, it does not check that
>>the
>
>Yeah, the feature is intentional:
>
>http://www.spinics.net/lists/linux-stgt/msg02065.html
>
>No security about tgtadm. A user who can use tgtadm has the root
>permission. He can do whatever he want to on the machine. He doesn't
>need to use a security hole in tgtd and tgtadm.
>
>Of course, we care about security about iscsi and isns ports.

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5475 bytes --]