Bug 1216962 (CVE-2015-3159)

Summary: CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrt-devel-list, dvlasenk, iprikryl, jfilak, jrusnack, magoldma, mhabrnal, michal.toman, mmilata
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the abrt-action-install-debuginfo-to-abrt-cache helper program did not properly filter the process environment before invoking abrt-action-install-debuginfo. A local attacker could use this flaw to escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 05:35:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1211966, 1211967, 1216973, 1216974, 1216975    
Bug Blocks: 1211224, 1214172    

Description Florian Weimer 2015-04-29 10:11:49 UTC 
It was discovered that the helper program,
abrt-action-install-debuginfo-to-abrt-cache, does not properly filter
the process environment (umask and truncated command line options)
before invoking abrt-action-install-debuginfo.  A local user could
exploit this vulnerability to obtain root privileges.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 2 Florian Weimer 2015-04-29 10:38:09 UTC 
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1216975]
Comment 4 Florian Weimer 2015-04-29 10:50:30 UTC 
The fix should set the umask to 022 and apply a whitelist to the command line options.

Changing the current directory to /var/spool/abrt would be preferable as well, but this is difficult because some ways of running abrt-action-install-debuginfo open a file build_ids in the current directory (which could result in an abrt -> local user information disclosure).  Perhaps the wrapper can open the file, using the calling user's UID/GID, and pass it on standard input.

I also looked at the way in which yum creates the /var/tmp/yum-abrt-* directory, and it appears to be okay.
Comment 5 Jakub Filak 2015-05-05 11:28:42 UTC 
These upstream commits fix this cve:
https://github.com/abrt/abrt/commit/9943a77bca37a0829ccd3784d1dfab37f8c24e7b
https://github.com/abrt/abrt/commit/9a4100678fea4d60ec93d35f4c5de2e9ad054f3a
Comment 6 Florian Weimer 2015-05-06 07:50:54 UTC 
Starting with Red Hat Enterprise Linux 6.5, due to a regression introduced by the fix for bug 759443 (“ABRT won't install debuginfos from rhn repository”), abrt-action-install-debuginfo does not seem to do much when abrt-action-install-debuginfo-to-abrt-cache is invoked by a non-root user, so the issue is mitigated in later versions of Red Hat Enterprise Linux 6.
Comment 7 Jakub Filak 2015-05-06 10:44:51 UTC 
I would like to fix abrt-action-install-debuginfo in RHEL-6 to make it working for non-root users too again (bug #1216962). Only the users who use only rhn repositories suffers from bug #756443 (“ABRT won't install debuginfos from rhn repository”), but other users who might have configured custom repositories (or CentOS users) should be able to use ABRT to download debug info packages.
Comment 10 errata-xmlrpc 2015-06-09 19:49:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html
Comment 11 errata-xmlrpc 2015-07-07 08:40:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html