multipath-tools: World-writeable socket

multipath-tools: World-writeable socket multipath-tools does not set correct permissions on the socket file, making it possible to send arbitrary commands to the multipath daemon for local users. multipath-tools 2010-06-01 2010-06-01 264564 local 0.4.8-r1 0.4.8-r1

multipath-tools are used to drive the Device Mapper multipathing driver.

multipath-tools uses world-writable permissions for the socket file (/var/run/multipathd.sock).

Local users could send arbitrary commands to the multipath daemon, causing cluster failures and data loss.

chmod o-rwx /var/run/multipath.sock

All multipath-tools users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.4.8-r1"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since November 13, 2009. It is likely that your system is already no longer affected by this issue.

CVE-2009-0115 craig craig keytoaster