Bug 1212861 (CVE-2015-1869)

Summary: CVE-2015-1869 abrt: default event scripts follow symbolic links
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrt-devel-list, dvlasenk, iprikryl, jfilak, jrusnack, magoldma, mhabrnal, michal.toman, mkyral, mmilata
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the default event handling scripts installed by ABRT did not handle symbolic links correctly. A local attacker with write access to an ABRT problem directory could use this flaw to escalate their privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 05:34:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1211966, 1211967, 1212863, 1212864, 1212865    
Bug Blocks: 1211224, 1214172    

Description Florian Weimer 2015-04-17 14:34:10 UTC 
It was discovered that the default event handling scripts installed by
abrt follow symbolic links, allowing local attackers with write access
to an abrt problem directory to escalate their privileges, as
demonstrated by a var_log_messages file which is a symbolic link to file
in /etc/cron.hourly.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 3 Florian Weimer 2015-04-17 14:39:24 UTC 
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1212865]
Comment 5 Jakub Filak 2015-05-05 11:18:35 UTC 
The commits are listed in bug #1212868 comment #4.
Comment 6 Jakub Filak 2015-05-06 12:48:02 UTC 
I am going to make to the code a bit more robust by preventing non-root users from triggering the default event scripts run by abrtd under root user.
Comment 7 Jakub Filak 2015-05-22 04:57:03 UTC 
These commits stop non-root users from triggering the default EVENT scripts:
daemon: allow only root user to trigger the post-create 
https://github.com/abrt/abrt/commit/3287aa12eb205cff95cdd00d6d6c5c9a4f8f0eca

daemon, dbus: allow only root to create CCpp, Koops, vmcore and xorg 
https://github.com/abrt/abrt/commit/7417505e1d93cc95ec648b74e3c801bc67aacb9f
Comment 11 errata-xmlrpc 2015-06-09 19:48:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html
Comment 13 errata-xmlrpc 2015-07-07 08:40:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html