Bug 1194651 (CVE-2015-0278)
| Summary: | CVE-2015-0278 libuv: incorrect revocation order while relinquishing privileges | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ignatenko, jorton, mmaslano, sgallagh, sisharma, tchollingsworth, thrcka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-28 12:49:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1194653, 1194654, 1194655, 1194656 | ||
| Bug Blocks: | 1194650 | ||
|
Description
Vasyl Kaigorodov
2015-02-20 13:04:57 UTC
Created libuv tracking bugs for this issue: Affects: fedora-all [bug 1194653] Affects: epel-all [bug 1194654] Upstream announcement: https://groups.google.com/d/msg/libuv/0JZxwLMtsMI/jraczskYWWQJ Red Hat assigned CVE-2015-0278 to this issue. v8-3.14.5.10-17.fc21, nodejs-0.10.36-3.fc21, libuv-0.10.34-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. v8-3.14.5.10-17.fc20, nodejs-0.10.36-3.fc20, libuv-0.10.34-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. compat-libuv010-0.10.34-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Analysis
========
In code of nodejs010-libuv in function static void uv__process_child_init() in the following code it call setgid() and setuid()
...
if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) {
uv__write_int(error_fd, errno);
perror("setgid()");
_exit(127);
}
if ((options.flags & UV_PROCESS_SETUID) && setuid(options.uid)) {
uv__write_int(error_fd, errno);
perror("setuid()");
_exit(127);
}
...
before calling setgid() and setuid() It does not call setgroups() while dropping privileges. There are ancillary groups associated with process which are inherited from the parent process which can only be altered by superuser. If some process runs with root or equivalent privileges it should call setgroups() before dropping root privileges.
On further analyzing about this flaw present in libuv as shipped with the nodejs10-libuv package present in Red Hat Software Collections, it seems impact of this flaw is low, as it depends on whether nodejs application is running under root privileges or not, so looking at the use cases of libuv with nodejs, nodejs applications would be running with privileges as they are expected to be running and not dropping them later on. As for the other applications using libuv running under superuser/root privileges impact of this flaw would be moderate. v8-3.14.5.10-17.el6, nodejs-0.10.36-3.el6, libuv-0.10.34-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. v8-3.14.5.10-17.el7, nodejs-0.10.36-3.el7, libuv-0.10.34-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. Statement: (none) |