Bug 1200927 (CVE-2015-1795)

Summary: CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chrisw, mchangir, mdshaikh, nlevinki, rcyriac, sankarshan, security-response-team, sisharma, smohan, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20150316,reported=20150309,source=redhat,cvss3=4.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L,cvss2=4.4/AV:L/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-377,rhes-2.1/glusterfs=wontfix,rhes-3/glusterfs=affected,rhel-6/glusterfs=notaffected,rhel-7/glusterfs=notaffected,fedora-all/glusterfs=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that glusterfs-server RPM package would write file with predictable name into world readable /tmp directory. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs-server package.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-23 07:37:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1362044    
Bug Blocks: 1200929    

Description Martin Prpič 2015-03-11 16:37:19 UTC
It was discovered that the glusterfs.spec file writes a shell script under a predictable temporary name. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs packages.

The vulnerable code is:

-- rpm in RHEL5 does not have os.tmpname()
-- io.tmpfile() can not be resolved to a filename to pass to bash :-/
tmpname = "/tmp/glusterfs_pretrans_" .. os.date("%s")
tmpfile = io.open(tmpname, "w")
tmpfile:write(script)
tmpfile:close()
ok, how, val = os.execute("/bin/bash " .. tmpname)

Comment 1 Martin Prpič 2015-03-11 16:40:05 UTC
Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 2 Kurt Seifried 2015-03-16 19:37:22 UTC
We can easily avoid this in RHEL 6/7 by using something like:

if (SomeFunc ~= nil) then
  SomeFunc(Args)
end

and then for RHEL 5 we can use a made up /tmp thing that is a bit safer like maybe math.random or read from /dev/random and create a string from that.

Comment 3 Kurt Seifried 2015-03-17 17:07:32 UTC
This only affects Gluster packages built with the -server sub package.

Comment 4 Siddharth Sharma 2015-07-27 15:24:52 UTC
Analysis
--------

Spec file of the glusterfs writes a file with a predictable name in /tmp as /tmp/glusterfs_pretrans_ as this is executed during installation or when updating the glusterfs package. An attacker can execute a targeted attack by replacing contents of glusterfs_pretrans_ file by malicious code to escalate privileges on the system.

Comment 7 Milind Changire 2016-09-22 11:09:47 UTC
(In reply to Kurt Seifried from comment #3)
> This only affects Gluster packages built with the -server sub package.

All %pretrans scripts, which are only available while doing a server-side RPM build, use this mechanism of writing a shell script to a temporary file and then execute it.

Would it be safe to assume that fixing all such %pretrans scripts for all glusterfs sub packages would be a sensible thing to do?

Also, the glusterfs build on rhel 5 is a client only build and the %pretrans scripts with this security issue are available only for server-side RPM builds on rhel 6 and rhel 7. Since os.tmpname() is available on rhel 6 and rhel 7, would using the file name returned by os.tmpname() fix the security issue?

Comment 11 errata-xmlrpc 2017-03-23 05:09:58 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2017:0484 https://rhn.redhat.com/errata/RHSA-2017-0484.html

Comment 12 errata-xmlrpc 2017-03-23 05:21:22 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2017:0486 https://rhn.redhat.com/errata/RHSA-2017-0486.html

Comment 15 Siddharth Sharma 2017-12-26 14:35:02 UTC
Statement:

This issue did not affect the versions of glusterfs as shipped
with Red Hat Enterprise Linux 6, and 7.