Bug 1203352 (CVE-2015-1815)
Summary: | CVE-2015-1815 setroubleshoot: command injection via crafted file name | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, security-response-team, ssekidde | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-03-26 19:25:28 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1203973, 1203974, 1203975, 1203976, 1203977, 1206050 | ||||||||
Bug Blocks: | 1203354 | ||||||||
Attachments: |
|
Description
Martin Prpič
2015-03-18 16:32:09 UTC
Created attachment 1003803 [details]
don't use unsecure commands.getstatusoutput in for getting rpm nvr
subprocess module methods doesn't use shell by default.
(In reply to Huzaifa S. Sidhpurwala from comment #10) > This looks insufficient. What if a filename is e.g. "-a"? > > BTW, at least my copy of RPM doesn't appear to support "--" to stop > sub-option parsing. > > In general, this design feels very fragile. I'd disable the feature. Thinking more about this I'd use the proposed patch: - You should not be able to run arbitrary code using only an argument of rpm command. - When you have "-a" file, rpm command will get "/tmp/-a" as an argument, not "-a" directly Created attachment 1004551 [details]
fix get_rpm_nvr_*_temporary functions
- use subprocess.check_output() instead of commands.getstatusoutput()
- use os.path.abspath() to get a normalized absolutized version of the name.
Created setroubleshoot tracking bugs for this issue: Affects: fedora-all [bug 1206050] Write-up and public exploit from the reporter: https://github.com/stealth/troubleshooter This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2015:0729 https://rhn.redhat.com/errata/RHSA-2015-0729.html setroubleshoot-3.2.22-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. setroubleshoot-3.2.17-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. setroubleshoot-3.2.22-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |