Bug 1395040

Summary:	vagrant nfs exports race
Product:	[Fedora] Fedora	Reporter:	Aron Griffis <aron>
Component:	vagrant	Assignee:	Vít Ondruch <vondruch>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	24	CC:	security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Unspecified
Whiteboard:
Fixed In Version:	vagrant-1.8.1-3.fc23 vagrant-1.8.1-5.fc24 vagrant-1.8.5-2.fc25	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-29 23:52:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Aron Griffis 2016-11-15 02:00:32 UTC

Description of problem:
vagrant has a tempfile race that can allow an unprivileged local user to insert arbitrary nfs exports.

Version-Release number of selected component (if applicable):
anything older than 1.8.7

Steps to Reproduce:
See https://github.com/mitchellh/vagrant/issues/7938

Here's the exploit steps I provided to hashicorp's security email:

1. Attacker creates file ahead of time, writable so cp will succeed.

touch /tmp/exports
chmod a+rw /tmp/exports

2. Attacker uses inotifywait to watch for file modifications (indicating the cp) and immediately substitute or append an export that allows them to access files they shouldn't.

3. Vagrant user with sudo privs does "vagrant up". This does the cp/sed sequence on /tmp/exports. (If sudo asks for a password then the race is exceptionally in the attacker's favor)

Additional info:
It's fixed in 1.8.7.

Comment 1 Andrej Nemec 2016-11-18 13:39:33 UTC

This is already public and has an upstream patch available, we can update the packages in Fedora to the latest upstream version to prevent it. There is no CVE assignment and the issue is lower because it needs local access.

Comment 2 Fedora Update System 2016-11-18 13:50:06 UTC

vagrant-1.8.5-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5a625412c2

Comment 3 Fedora Update System 2016-11-18 13:50:46 UTC

vagrant-1.8.1-5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-24ffcb9a47

Comment 4 Fedora Update System 2016-11-18 13:51:31 UTC

vagrant-1.8.1-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b335750d8

Comment 5 Fedora Update System 2016-11-18 20:27:22 UTC

vagrant-1.8.5-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5a625412c2

Comment 6 Fedora Update System 2016-11-19 08:56:29 UTC

vagrant-1.8.1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b335750d8

Comment 7 Fedora Update System 2016-11-19 18:50:30 UTC

vagrant-1.8.1-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-24ffcb9a47

Comment 8 Fedora Update System 2016-11-29 23:52:42 UTC

vagrant-1.8.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-11-30 03:52:05 UTC

vagrant-1.8.1-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-11-30 05:27:32 UTC

vagrant-1.8.5-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.