Bug 1218658 (CVE-2015-3171)

Summary: CVE-2015-3171 sosreport: temporary file created with world-readable permissions
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agk, bmr, gavin, kroberts, plambri, pmoravec, sbradley
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-01 09:25:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1218659    
Bug Blocks: 1225825    

Description Martin Prpič 2015-05-05 13:44:09 UTC 
It was reported that sosreport creates output files with world-readable permissions:

-rw-r--r--. 1 root root 7331624 May 4 08:55
sosreport-localhost.localdomain-20150504084328.tar.xz
-rw-r--r--. 1 root root 33 May 4 08:55
sosreport-localhost.localdomain-20150504084328.tar.xz.md5

The archive may consists of files originally only accessible by the root user. However, after extracting the archive, all of the files are readable by regular users with access to /var/tmp/.

Acknowledgements:

Red Hat would like to thank Grant Murphy for reporting this issue.
Comment 1 Martin Prpič 2015-05-05 13:45:04 UTC 
Created sos tracking bugs for this issue:

Affects: fedora-all [bug 1218659]
Comment 2 Bryn M. Reeves 2015-05-05 15:13:30 UTC 
Version & release numbers?
Comment 3 Bryn M. Reeves 2015-05-05 15:25:18 UTC 
Does not affect F20 or earlier:

# sosreport -v --batch -o general

sosreport (version 3.1)

This command will collect system configuration and diagnostic
information from this Fedora system. An archive containing the collected
information will be generated in /var/tmp.

For more information on the Fedora Project visit:

  https://fedoraproject.org/

The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party.

No changes will be made to system configuration.


 Running plugins. Please wait ...

  Running 1/1: general...        
Creating compressed archive...

Your sosreport has been generated and saved in:
  /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz

The checksum is: 640904285a51114c0b03f142e533af4c

Please send this file to your support representative.

[root@localhost ~]# ll /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz
-rw-------. 1 root root 584392 May  5 16:21 /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz

Unfortunately F21 is still using an early build of 3.2 that has a bug in the umask handling for the tar archive:

commit d7759d3ddae5fe99a340c88a1d370d65cfa73fd6
Author: Bryn M. Reeves <bmr>
Date:   Thu Oct 30 16:46:01 2014 +0000

    [sosreport] fix archive permissions regression
    
    Restore the umask save/restore around archive creation and ensure
    the effective umask is 077 at the time of archive creation.
    
    Fixes #425.
    
    Signed-off-by: Bryn M. Reeves <bmr>

I'll update this in F21, 22 and rawhide to a version that includes the above commit.
Comment 4 Huzaifa S. Sidhpurwala 2015-06-01 09:21:39 UTC 
This flaw is a regression in the default behaviour of sosreport, which was introduced by the following commit:

https://github.com/sosreport/sos/commit/8d2577786cce6fcc915836108e405dbf5025dec8

and was fixed via the following commit:

https://github.com/sosreport/sos/commit/d7759d3ddae5fe99a340c88a1d370d65cfa73fd6
Comment 5 Huzaifa S. Sidhpurwala 2015-06-01 09:24:59 UTC 
Statement:

Not vulnerable. This issue does not affect the version of sos package as shipped with Red Hat Enterprise Linux 5, 6 and 7.