CVE-2020-14019

NameCVE-2020-14019
DescriptionOpen-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-rtslib-fb (PTS)stretch2.1.57+debian-4fixed
buster2.1.66-2fixed
bullseye, sid2.1.71-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-rtslib-fbsourcejessie(not affected)
python-rtslib-fbsourcestretch(not affected)
python-rtslib-fbsourcebuster(not affected)
python-rtslib-fbsource(unstable)(unfixed)

Notes

[buster] - python-rtslib-fb <not-affected> (Introduced in 2.1.70)
[stretch] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used)
[jessie] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used)
https://github.com/open-iscsi/rtslib-fb/pull/162
https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9

Search for package or bug name: Reporting problems