Bug 1611119 (CVE-2018-14348)

Summary: CVE-2018-14348 libcgroup: cgrulesengd creates log files with insecure permissions
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, bleanhar, bmcclain, ccoleman, dblechte, dedgar, dfediuck, eedri, jchaloup, jgoulding, jokerman, jsafrane, jwboyer, mchappel, mgoldboi, michal.skrivanek, nforro, sbonazzo, sherold
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:19:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1611121, 1611122, 1612122    
Bug Blocks: 1611124    

Description Sam Fowler 2018-08-02 06:03:28 UTC 
The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with world readable and writable permissions (0o666) due to a reset of the file mode creation mask (umask(0)) in the daemon/cgrulesengd.c:cgre_start_daemon() function.


Upstream Patch:

https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
Comment 1 Sam Fowler 2018-08-02 06:04:14 UTC 
Created libcgroup tracking bugs for this issue:

Affects: fedora-all [bug 1611121]
Comment 3 Riccardo Schirone 2018-08-03 13:08:31 UTC 
Fedora is not affected as it disables the daemon, through the `--disable-daemon` option in the configure script, thus it does not contain the cgrulesengd binary.
Comment 5 Riccardo Schirone 2018-08-03 14:32:34 UTC 
In RHEL 7 default options in /etc/sysconfig/cgred, which are used when the daemon is started through systemd, use the syslog facility, thus the log file is not created by the daemon itself, making it not vulnerable to this flaw by default.
Comment 7 errata-xmlrpc 2019-08-06 12:07:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2047 https://access.redhat.com/errata/RHSA-2019:2047
Comment 8 Product Security DevOps Team 2019-08-06 19:19:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-14348