Security vulnerability in Evergreen 1.6: patch or upgrade advised

On Thursday, June 17th, we realized that the open-ils.pcrud service, which provides permission-protected access to Evergreen data in the 1.6 release series, was subject to a security vulnerability. The vulnerability allows a user to access objects outside of the permissions they have been granted by supplying fleshing arguments to the open-ils.pcrud search service.

By Thursday evening, a patch for the vulnerability had been committed to Evergreen trunk, and by Friday evening that patch had been backported to the 1.6.0 branch. The Evergreen security release was uploaded on Tuesday June 22, and it took until late Friday June 26 to write up the upgrade instructions, release notes, and update the downloads page for the Web site.

Today, we worked out how to apply just the security fix to a running system, so that Evergreen libraries can close the vulnerability without having to apply the full release upgrade. The procedure is as follows:

  1. Download the fixed file:
  2. Copy oils_cstore.c over Open-ILS/src/c-apps/oils_cstore.c in the source directory you used to install your Evergreen system
  3. Run ‘make’ to compile the updated libraries
  4. Install the chrpath tool (“aptitude install chrpath”)
  5. Run “chrpath -d Open-ILS/src/c-apps/.libs/” to enable the library to link to the appropriate location
  6. Copy Open-ILS/src/c-apps/.libs/* to /openils/lib/.
  7. Restart the Evergreen C services by running ‘ -a restart_c’

If you are running Evergreen 1.6, we recommend that you apply this security fix as soon as possible, then upgrade to the latest release ( when you have an opportunity. Evergreen sites running releases prior to 1.6 are not affected by this vulnerability.

About Dan Scott

I'm the systems librarian for Laurentian University, with a background in information architecture, database software development, and project planning from spending 8 years with IBM.