Bug 1212953 (CVE-2015-3147)
Summary: | CVE-2015-3147 abrt: does not validate contents of uploaded problem reports | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Florian Weimer <fweimer> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abrt-devel-list, dvlasenk, iprikryl, jfilak, jrusnack, mhabrnal, michal.toman, mmilata |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that, when moving problem reports between certain directories, abrt-handle-upload did not verify that the new problem directory had appropriate permissions and did not contain symbolic links. An attacker able to create a crafted problem report could use this flaw to expose other parts of ABRT, or to overwrite arbitrary files on the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-09 05:34:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1211966, 1211967, 1218583, 1238724 | ||
Bug Blocks: | 1211224, 1214172 |
Description
Florian Weimer
2015-04-17 18:40:07 UTC
abrt itself does not accept crash uploads over the network, it relies on some sort of file transfer to /var/spool/abrt-upload. By default, this directory has restrictive write permissions, so this functionality is not exposed to users. As a result, this vulnerability does not affect default configurations. I've opened the following upstream pull request for this CVE: https://github.com/abrt/abrt/pull/955 (In reply to Jakub Filak from comment #3) > I've opened the following upstream pull request for this CVE: > https://github.com/abrt/abrt/pull/955 Thanks, see my Github comments. In short, the directory permissions are unclear, and there seems to be race between the validation and the renaming. (In reply to Florian Weimer from comment #4) > (In reply to Jakub Filak from comment #3) > > I've opened the following upstream pull request for this CVE: > > https://github.com/abrt/abrt/pull/955 > > Thanks, see my Github comments. In short, the directory permissions are > unclear, and there seems to be race between the validation and the renaming. Thank you! I've updated the pull request and added a comment about the directory permissions. Upstream commit https://github.com/abrt/abrt/commit/3746b7627218438ae7d781fc8b18a221454e9091 fixes this bug. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html |