Bug 1352437 (CVE-2016-6153)
Summary: | CVE-2016-6153 sqlite: Tempdir selection vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | alex, bazanluis20, databases-maint, dmoppert, drizt72, erik-fedora, fedora-mingw, fedora, hhorak, jakub.dornak, jdornak, jstanek, mschorm, pkubat, praiskup, redhat-bugzilla, rjones, sardella, slawomir, wilmer5 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-06 03:15:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1352438, 1352439, 1352440, 1352442, 1352443 | ||
Bug Blocks: | 1352447 |
Description
Adam Mariš
2016-07-04 07:47:10 UTC
Created sqlite2 tracking bugs for this issue: Affects: fedora-all [bug 1352439] Affects: epel-all [bug 1352443] Created sqlite tracking bugs for this issue: Affects: fedora-all [bug 1352438] Created mingw-sqlite tracking bugs for this issue: Affects: fedora-all [bug 1352440] Affects: epel-7 [bug 1352442] The impact of this issue is certainly low, if it can even be considered a security flaw. The hard-coded temp dir search path follows: 1. temp_store_directory pragma (if defined) 2. SQLITE_TMPDIR environment var 3. TMPDIR env var 4. /var/tmp 5. /usr/tmp 6. /tmp Only if all of these are exhausted is the cwd used. The impact of this bug is such that directories with permissions (relative to the user) of exactly -wx (writable, searchable but not readable) will be erroneously skipped. Finally, a randomly-generated filename is used, appropriate permissions (0600) and open(2) flags are used, and the file is unlinked once sqlite is finished with it. RHEL ships by default with mode 1777 on /var/tmp, /usr/tmp and /tmp. For this flaw to have any impact on a RHEL system: - the sysadmin would need to have changed permissions on all three tmp directories - the affected application would need to chdir() to a dangerous location: in particular, a network share with poor permissions management, or removable media - the application would need to use VACUUM, a temp database, a materialized view, statement journals or transient indices involving sensitive data - an attacker would need to race to access the file, or recover it from deleted blocks RHEL's builds of sqlite do not override any default options nor patch the source in a way that impacts this issue. sqlite-3.13.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |