Bug 1352437 (CVE-2016-6153)

Summary: CVE-2016-6153 sqlite: Tempdir selection vulnerability
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alex, bazanluis20, databases-maint, dmoppert, drizt72, erik-fedora, fedora-mingw, fedora, hhorak, jakub.dornak, jdornak, jstanek, mschorm, pkubat, praiskup, redhat-bugzilla, rjones, sardella, slawomir, wilmer5
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-06 03:15:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1352438, 1352439, 1352440, 1352442, 1352443    
Bug Blocks: 1352447    

Description Adam Mariš 2016-07-04 07:47:10 UTC 
It was found that temporary directory search algorithm doesn't allow directories with only -wx permissions on Unix. Instead it falls back to '.' even if it's unsafe location. Although permissions of '.' are checked, result of that check is ignored.

Upstream patch:

https://www.sqlite.org/cgi/src/info/67985761aa93fb61
https://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
https://www.sqlite.org/cgi/src/info/614bb709d34e1148

CVE assignment:

http://seclists.org/oss-sec/2016/q3/1

External References:

https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt
Comment 1 Adam Mariš 2016-07-04 07:48:18 UTC 
Created sqlite2 tracking bugs for this issue:

Affects: fedora-all [bug 1352439]
Affects: epel-all [bug 1352443]
Comment 2 Adam Mariš 2016-07-04 07:48:26 UTC 
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1352438]
Comment 3 Adam Mariš 2016-07-04 07:48:33 UTC 
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1352440]
Affects: epel-7 [bug 1352442]
Comment 4 Doran Moppert 2016-07-06 03:01:45 UTC 
The impact of this issue is certainly low, if it can even be considered a security flaw.

The hard-coded temp dir search path follows:

  1. temp_store_directory pragma (if defined)
  2. SQLITE_TMPDIR environment var
  3. TMPDIR env var
  4. /var/tmp
  5. /usr/tmp
  6. /tmp

Only if all of these are exhausted is the cwd used.  The impact of this bug is such that directories with permissions (relative to the user) of exactly -wx (writable, searchable but not readable) will be erroneously skipped.  Finally, a randomly-generated filename is used, appropriate permissions (0600) and open(2) flags are used, and the file is unlinked once sqlite is finished with it.

RHEL ships by default with mode 1777 on /var/tmp, /usr/tmp and /tmp.

For this flaw to have any impact on a RHEL system:

  - the sysadmin would need to have changed permissions on all three tmp directories
  - the affected application would need to chdir() to a dangerous location:  in particular, a network share with poor permissions management, or removable media
  - the application would need to use VACUUM, a temp database, a materialized view, statement journals or transient indices involving sensitive data
  - an attacker would need to race to access the file, or recover it from deleted blocks

RHEL's builds of sqlite do not override any default options nor patch the source in a way that impacts this issue.
Comment 6 Fedora Update System 2016-07-14 14:50:54 UTC 
sqlite-3.13.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.