[OPEN-ILS-GENERAL] Security vulnerability in Evergreen 1.6: patch or upgrade advised

[Dan Scott]

On Thursday, June 17th, we realized that the open-ils.pcrud service,
which provides permission-protected access to Evergreen data in the 1.6
release series, was subject to a security vulnerability. The
vulnerability allows a user to access objects outside of the permissions
they have been granted by supplying fleshing arguments to the
open-ils.pcrud service.

By Thursday evening, a patch for the vulnerability had been committed to
Evergreen trunk, and by Friday evening that patch had been backported to
the 1.6.0 branch. The Evergreen 1.6.0.6 security release was uploaded on
Tuesday June 22, and it took until late Friday June 26 to write up the
upgrade instructions, release notes, and update the downloads page for
the http://evergreen-ils.org Web site.

Today, we worked out how to apply just the security fix to a running
system, so that Evergreen libraries can close the vulnerability without
having to apply the full release upgrade. The procedure is as follows:

   1. Download the fixed file:
http://svn.open-ils.org/trac/ILS/export/16749/branches/rel_1_6_0/Open-ILS/src/c-apps/oils_cstore.c
   2. Copy oils_cstore.c over Open-ILS/src/c-apps/oils_cstore.c in the
source directory you used to install your Evergreen system
   3. Run ‘make’ to compile the updated libraries
   4. Install the chrpath tool (“aptitude install chrpath”)
   5. Run “chrpath -d Open-ILS/src/c-apps/.libs/oils_pcrud.so” to enable
the library to link to the appropriate location
   6. Copy Open-ILS/src/c-apps/.libs/oils_pcrud.so.* to /openils/lib/.
   7. Restart the Evergreen C services by running ‘osrf_ctl.sh -a
restart_c’

If you are running Evergreen 1.6, we recommend that you apply this
security fix as soon as possible, then upgrade to the latest release
(1.6.0.6) when you have an opportunity. Evergreen sites running releases
prior to 1.6 are not affected by this vulnerability.