Bug 1183151 (CVE-2015-0233)
| Summary: | CVE-2015-0233 389-admin: multiple /tmp/ file vulnerabilities | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jrusnack, mreynolds, nhosoi, nkinder, rmeggins |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-24 05:02:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1183152, 1183153, 1183154 | ||
| Bug Blocks: | 1014780 | ||
|
Description
Kurt Seifried
2015-01-16 20:23:47 UTC
Statement: This issue affects the versions of 389-admin as shipped with Red Hat Directory Server 9.1. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Created 389-admin tracking bugs for this issue: Affects: fedora-all [bug 1183153] Affects: epel-all [bug 1183154] Acknowledgement: This issue was discovered by Kurt Seifried of Red Hat Product Security. Hi Kurt,
I took a look at the 2 cases you pointed out.
1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in
my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;
Luckily, the code was introduced by this bug for RHDS10.0 which is not released at all including fedora and epel.
https://bugzilla.redhat.com/show_bug.cgi?id=1173252
Thus, we could just reopen this bug (and the corresponding ticket to take care of the /tmp issue.
2) ./389-admin-1.1.36/lib/libadmin/httpcon.c
And this is a pure debug code which does not get built with DEBUG_TRACE enabled. Probably, we could comment out "/tmp/http_trace.%d" part. But I don't think it is a target of CVE.
/* #define DEBUG_TRACE 1 */
#undef DEBUG_TRACE
#ifdef DEBUG_TRACE
FILE *dbf = NULL;
int numconns = 0;
char *dbd = "/tmp/http_trace.%d";
char dbp[256];
#endif
That's being said, could it be possible to close this CVE bug and let us work on the 2 issues as a normal issue for DS10? Thanks!!
(In reply to Noriko Hosoi from comment #5) > Hi Kurt, > > I took a look at the 2 cases you pointed out. > > 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in > my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; > > Luckily, the code was introduced by this bug for RHDS10.0 which is not > released at all including fedora and epel. > https://bugzilla.redhat.com/show_bug.cgi?id=1173252 > Thus, we could just reopen this bug (and the corresponding ticket to take > care of the /tmp issue. > > 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c > > And this is a pure debug code which does not get built with DEBUG_TRACE > enabled. Probably, we could comment out "/tmp/http_trace.%d" part. But I > don't think it is a target of CVE. > /* #define DEBUG_TRACE 1 */ > #undef DEBUG_TRACE > > #ifdef DEBUG_TRACE > FILE *dbf = NULL; > int numconns = 0; > char *dbd = "/tmp/http_trace.%d"; > char dbp[256]; > #endif > > That's being said, could it be possible to close this CVE bug and let us > work on the 2 issues as a normal issue for DS10? Thanks!! Apologies, this was not marked NEEDINFO so I didn't see it in my BZ spam. It appears this was fixed, so closing CURRENTRELEASE. |