Bug 1183151 (CVE-2015-0233)
Summary: | CVE-2015-0233 389-admin: multiple /tmp/ file vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jrusnack, mreynolds, nhosoi, nkinder, rmeggins |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-24 05:02:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1183152, 1183153, 1183154 | ||
Bug Blocks: | 1014780 |
Description
Kurt Seifried
2015-01-16 20:23:47 UTC
Statement: This issue affects the versions of 389-admin as shipped with Red Hat Directory Server 9.1. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Created 389-admin tracking bugs for this issue: Affects: fedora-all [bug 1183153] Affects: epel-all [bug 1183154] Acknowledgement: This issue was discovered by Kurt Seifried of Red Hat Product Security. Hi Kurt, I took a look at the 2 cases you pointed out. 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; Luckily, the code was introduced by this bug for RHDS10.0 which is not released at all including fedora and epel. https://bugzilla.redhat.com/show_bug.cgi?id=1173252 Thus, we could just reopen this bug (and the corresponding ticket to take care of the /tmp issue. 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c And this is a pure debug code which does not get built with DEBUG_TRACE enabled. Probably, we could comment out "/tmp/http_trace.%d" part. But I don't think it is a target of CVE. /* #define DEBUG_TRACE 1 */ #undef DEBUG_TRACE #ifdef DEBUG_TRACE FILE *dbf = NULL; int numconns = 0; char *dbd = "/tmp/http_trace.%d"; char dbp[256]; #endif That's being said, could it be possible to close this CVE bug and let us work on the 2 issues as a normal issue for DS10? Thanks!! (In reply to Noriko Hosoi from comment #5) > Hi Kurt, > > I took a look at the 2 cases you pointed out. > > 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in > my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; > > Luckily, the code was introduced by this bug for RHDS10.0 which is not > released at all including fedora and epel. > https://bugzilla.redhat.com/show_bug.cgi?id=1173252 > Thus, we could just reopen this bug (and the corresponding ticket to take > care of the /tmp issue. > > 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c > > And this is a pure debug code which does not get built with DEBUG_TRACE > enabled. Probably, we could comment out "/tmp/http_trace.%d" part. But I > don't think it is a target of CVE. > /* #define DEBUG_TRACE 1 */ > #undef DEBUG_TRACE > > #ifdef DEBUG_TRACE > FILE *dbf = NULL; > int numconns = 0; > char *dbd = "/tmp/http_trace.%d"; > char dbp[256]; > #endif > > That's being said, could it be possible to close this CVE bug and let us > work on the 2 issues as a normal issue for DS10? Thanks!! Apologies, this was not marked NEEDINFO so I didn't see it in my BZ spam. It appears this was fixed, so closing CURRENTRELEASE. |