Bug 1212868 (CVE-2015-1870)

Summary: CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abrt-devel-list, dvlasenk, iprikryl, jfilak, jrusnack, mbrysa, mhabrnal, michal.toman, mmilata, mprpic
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the ABRT event scripts created a user-readable copy of an sosreport file in ABRT problem directories, and included excerpts of /var/log/messages selected by the user-controlled process name, leading to an information disclosure. The fix for this issue prevents non-privileged users from accessing any crash reports, even reports of crashes of processes owned by those users. Only administrators (the wheel group members) are allowed to access crash reports via the "System" tab in the ABRT GUI, or by running abrt-cli as root (that is, via "sudo abrt-cli" or "su -c abrt-cli").
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 05:34:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1211966, 1211967, 1212869, 1212870, 1212871    
Bug Blocks: 1211224, 1214172    

Description Florian Weimer 2015-04-17 14:45:25 UTC 
It was discovered that the abrt event scripts create a user-readable
copy of a sosreport file in abrt problem directories, and include
excerpts of /var/log/messages selected by the user-controlled process
name, leading to an information disclosure.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 2 Florian Weimer 2015-04-17 14:46:20 UTC 
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1212871]
Comment 4 Jakub Filak 2015-05-05 11:17:15 UTC 
This upstream commit https://github.com/abrt/abrt/commit/8939398b82006ba1fec4ed491339fc075f43fc7c changes the owner to root.

This upstream commit https://github.com/abrt/abrt/commit/7d023c32a565e83306cddf34c894477b7aaf33d1 moves /var/tmp/abrt to /var/spool/abrt.

This upstream commit https://github.com/abrt/libreport/commit/c962918bc70a61a8cc647898ee8b1ff1c14a87c5 sets the mode of dump directories to 750.
Comment 7 Marek Bryša 2015-05-26 10:26:28 UTC 
I believe there is one tiny mistake in the Doc Text:
"The fix for this issue prevents non-privileged users FROM access TO any crash reports, ..."
Comment 8 errata-xmlrpc 2015-06-09 19:49:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html
Comment 9 errata-xmlrpc 2015-07-07 08:40:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html