Bug 1056273 (CVE-2014-0023)
Summary: | CVE-2014-0023 OpenShift: install script has temporary file creation vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, kseifried, lmeyer, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-06 20:29:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1056274 | ||
Bug Blocks: |
Description
Kurt Seifried
2014-01-21 20:47:16 UTC
Still present, we really should fix this. It seems like the way to exploit this would be: 1. As a user on a system you know will be used to run oo-install, download the installer and put it in /tmp where it would be put when the admin will try to run the install. 2. Modify so that it does whatever nefarious purpose you have in mind. 3. The admin runs oo-install, it attempts to extract itself where the malicious installer now exists, the user doesn't notice that this actually failed to overwrite what was already there and continues to run the malicious version. Is there another way I'm not thinking of? I would expect ownership permissions would prevent anything else, unless of course the attacker owns root or the user's account, in which case protection seems out of scope. I understand the benefits of using unpredictable temp directories, just wondering if we can still keep the downloaded assets by hardening at step 3 (make sure you successfully wrote everything you're about to run). Statement: This issue affects the script provided on the OpenShift website. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |