Bug 1282542 (CVE-2015-7529)
| Summary: | CVE-2015-7529 sos: Usage of predictable temporary files allows privilege escalation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abaron, agk, aortega, apevec, ayoung, bmr, chrisw, cperry, dallan, dhoward, dkutalek, gavin, gkotton, gmollett, huzaifas, jschluet, lhh, lpeer, lyarwood, markmc, mflitter, mguzik, osoukup, plambri, pmatouse, pmoravec, rbryant, sbradley, sclewis, security-response-team, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
An insecure temporary file use flaw was found in the way sos created certain sosreport files. A local attacker could possibly use this flaw to perform a symbolic link attack to reveal the contents of sosreport files, or in some cases modify arbitrary files and escalate their privileges on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-21 01:13:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1286933, 1286934, 1290953, 1290954, 1290955, 1310409, 1310466 | ||
| Bug Blocks: | 1282568 | ||
| Attachments: | |||
|
Description
Adam Mariš
2015-11-16 17:14:35 UTC
> sosreport creates temporary directory in /tmp with predictable name
> sosreport-$hostname-$date"
The name of the directory is not predictable - it's the fact that we then re-use that (now published in the file system) name for the final tar archive that allows a malicious user to predict the archive path name.
I expect to push a fix for this upstream in the next couple of days however due to product integration needs we may need to use a slightly different approach in any urgent erratas.
Created attachment 1097279 [details]
[policies] move hash determination to policies
Created attachment 1097280 [details]
[policies] refactor Policy.display_results() args
Created attachment 1097281 [details]
[sosreport] move archive checksumming to sosreport
Created attachment 1097283 [details]
[sosreport] prepare report in a private subdirectory
Created sos tracking bugs for this issue: Affects: fedora-all [bug 1286934] sos-3.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0152 https://rhn.redhat.com/errata/RHSA-2016-0152.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0188 https://rhn.redhat.com/errata/RHSA-2016-0188.html |