Bug 1016960 (CVE-2013-4419)

Summary: CVE-2013-4419 libguestfs: insecure temporary directory handling for guestfish's network socket
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bfan, fweimer, jkurik, jrusnack, leiwang, mbooth, misc, mmcallis, pfrields, rjones, security-response-team, vdanen, vkrizan, wshi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libguestfs 1.20.12, libguestfs 1.22.7, libguestfs 1.24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-22 06:19:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1019503, 1019737, 1020535, 1020950    
Bug Blocks: 974906, 1016967    
Attachments:
Description Flags
fish: Use UNIX_PATH_MAX instead of hard-coded value for max length of socket
none
fish: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960).
none
fish: Move the guestfish socket from /tmp/.guestfish-$UID to /run/user/$UID.
none
fish: CVE-2013-4419: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960). none

Description Murray McAllister 2013-10-09 04:01:26 UTC 
libguestfs is a library for accessing and modifying guest disk images. It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode (using the "--listen" option). If guestfish were run with the "--listen" option, a local attacker could use this flaw to intercept and modify other users' guestfish commands, allowing them to perform arbitrary guestfish actions (such as modifying virtual machines) with the privileges of a different user, or use this flaw to obtain authentication credentials.

Acknowledgements:

This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
Comment 3 Richard W.M. Jones 2013-10-09 11:28:30 UTC 
Created attachment 809855 [details]
fish: Use UNIX_PATH_MAX instead of hard-coded value for max length of socket

Semi-related code cleanup.
Comment 4 Richard W.M. Jones 2013-10-09 11:29:50 UTC 
Created attachment 809857 [details]
fish: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960).

This is the meat of the fix: check that the directory
that we create (a) is a directory (b) has the right mode
(c) has the right owner.
Comment 5 Richard W.M. Jones 2013-10-09 11:31:55 UTC 
Created attachment 809858 [details]
fish: Move the guestfish socket from /tmp/.guestfish-$UID to /run/user/$UID.

I'm probably not going to apply this third part because:

- Can we be sure that /run/user/$UID always has mode 0700?

- /run/user is entirely missing on Debian Wheezy

- It seems to be safe to create the socket in /tmp now that
  we're doing all the checks -- the worst that could happen
  is a poor denial of service attack by a local user who is
  immediately visible.
Comment 6 Richard W.M. Jones 2013-10-09 11:34:14 UTC 
BTW I'm happy to publish this fix as soon as possible.  It is
low impact.
Comment 11 Michael S. 2013-10-09 22:25:52 UTC 
To answer comment #5, what about using $XDG_RUNTIME_DIR ( cf man pam_systemd, this is "Path to a user-private user-writable directory that is bound to the user login time on the machine" ), and fall back to /tmp if it doesn't exist ?

( with $XDG_RUNTIME_DIR being /run/user/$uid/ , as set by the pam module )

This will cover the case of non-systemd system, ie debian wheezy among other, while still using proper directory for newer system, and this could be cleaned later once we decide to stop supporting older system ?
Comment 18 Richard W.M. Jones 2013-10-11 11:36:37 UTC 
Created attachment 811007 [details]
fish: CVE-2013-4419: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960).

Version 2 of proposed patch.

Note also that "fish: Use UNIX_PATH_MAX instead of hard-coded value
for max length of socket" which is really an unrelated code cleanup
has gone upstream already.
Comment 25 Richard W.M. Jones 2013-10-17 09:26:39 UTC 
FYI the public announcement is going out today at 12:00 UTC, unless
anyone says otherwise in ~ the next 3 hours ...
Comment 26 Richard W.M. Jones 2013-10-17 12:01:29 UTC 
This issue is now public:
https://www.redhat.com/archives/libguestfs/2013-October/msg00031.html
Comment 27 Tomas Hoger 2013-10-17 20:56:18 UTC 
Created libguestfs tracking bugs for this issue:

Affects: fedora-all [bug 1020535]
Comment 29 Vincent Danen 2013-10-18 15:14:41 UTC 
Created libguestfs tracking bugs for this issue:

Affects: epel-5 [bug 1020950]
Comment 30 Fedora Update System 2013-10-27 03:58:49 UTC 
libguestfs-1.20.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2013-10-27 03:59:58 UTC 
libguestfs-1.22.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2013-10-27 05:32:50 UTC 
libguestfs-1.22.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2013-10-27 05:34:31 UTC 
libguestfs-1.20.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2013-11-10 06:52:13 UTC 
libguestfs-1.24.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 errata-xmlrpc 2013-11-21 04:47:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1536 https://rhn.redhat.com/errata/RHSA-2013-1536.html
Comment 39 Fedora Update System 2016-04-25 19:52:41 UTC 
libguestfs-1.20.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.