|Summary:||CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue|
|Product:||[Other] Security Response||Reporter:||Martin Prpič <mprpic>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||chrisw, mchangir, mdshaikh, nlevinki, rcyriac, sankarshan, security-response-team, sisharma, smohan, ssaha, vbellur|
|Fixed In Version:||Doc Type:||Bug Fix|
It was found that glusterfs-server RPM package would write file with predictable name into world readable /tmp directory. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs-server package.
|Last Closed:||2017-03-23 07:37:07 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1362044|
Description Martin Prpič 2015-03-11 16:37:19 UTC
It was discovered that the glusterfs.spec file writes a shell script under a predictable temporary name. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs packages. The vulnerable code is: -- rpm in RHEL5 does not have os.tmpname() -- io.tmpfile() can not be resolved to a filename to pass to bash :-/ tmpname = "/tmp/glusterfs_pretrans_" .. os.date("%s") tmpfile = io.open(tmpname, "w") tmpfile:write(script) tmpfile:close() ok, how, val = os.execute("/bin/bash " .. tmpname)
Comment 1 Martin Prpič 2015-03-11 16:40:05 UTC
Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 2 Kurt Seifried 2015-03-16 19:37:22 UTC
We can easily avoid this in RHEL 6/7 by using something like: if (SomeFunc ~= nil) then SomeFunc(Args) end and then for RHEL 5 we can use a made up /tmp thing that is a bit safer like maybe math.random or read from /dev/random and create a string from that.
Comment 3 Kurt Seifried 2015-03-17 17:07:32 UTC
This only affects Gluster packages built with the -server sub package.
Comment 4 Siddharth Sharma 2015-07-27 15:24:52 UTC
Analysis -------- Spec file of the glusterfs writes a file with a predictable name in /tmp as /tmp/glusterfs_pretrans_ as this is executed during installation or when updating the glusterfs package. An attacker can execute a targeted attack by replacing contents of glusterfs_pretrans_ file by malicious code to escalate privileges on the system.
Comment 7 Milind Changire 2016-09-22 11:09:47 UTC
(In reply to Kurt Seifried from comment #3) > This only affects Gluster packages built with the -server sub package. All %pretrans scripts, which are only available while doing a server-side RPM build, use this mechanism of writing a shell script to a temporary file and then execute it. Would it be safe to assume that fixing all such %pretrans scripts for all glusterfs sub packages would be a sensible thing to do? Also, the glusterfs build on rhel 5 is a client only build and the %pretrans scripts with this security issue are available only for server-side RPM builds on rhel 6 and rhel 7. Since os.tmpname() is available on rhel 6 and rhel 7, would using the file name returned by os.tmpname() fix the security issue?
Comment 11 errata-xmlrpc 2017-03-23 05:09:58 UTC
This issue has been addressed in the following products: Red Hat Gluster Storage 3.2 for RHEL 6 Native Client for RHEL 6 for Red Hat Storage Via RHSA-2017:0484 https://rhn.redhat.com/errata/RHSA-2017-0484.html
Comment 12 errata-xmlrpc 2017-03-23 05:21:22 UTC
This issue has been addressed in the following products: Red Hat Gluster Storage 3.2 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2017:0486 https://rhn.redhat.com/errata/RHSA-2017-0486.html
Comment 15 Siddharth Sharma 2017-12-26 14:35:02 UTC
Statement: This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6, and 7.