Bug 1695948 (CVE-2019-12779)

Summary: CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, ccaulfie, cluster-maint, dvossel, huzaifas, jfriesse, jpokorny, kgaillot, sisharma, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libqb 1.0.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695949, 1714853, 1714854    
Bug Blocks: 1695950    

Description Pedro Sampaio 2019-04-03 23:30:00 UTC 
A flaw was found in libqb. Isecure handling of temporari files could be exploited by a local attacker to overwrite privileged system files.

Upstream issue:

https://github.com/ClusterLabs/libqb/issues/338

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1685297
Comment 1 Pedro Sampaio 2019-04-03 23:30:13 UTC 
Created libqb tracking bugs for this issue:

Affects: fedora-all [bug 1695949]
Comment 4 Christine Caulfield 2019-04-16 08:10:43 UTC 
v1.0.4 has been released upstream to fix these issues
Comment 6 Jan Pokorný [poki] 2019-04-26 09:17:18 UTC 
Has a CVE been assigned for this flaw, yet?

FTR. v1.0.4 could technically solve the problem, but we don't want
to advertise that version anywhere, for being botched, rendering it's
prime use case (cluster stack) unusable -- subsequent v1.0.5 fixes that:
https://lists.clusterlabs.org/pipermail/users/2019-April/025712.html
Comment 9 Huzaifa S. Sidhpurwala 2019-05-29 04:12:23 UTC 
Analysis:

The problem basically lies in how temporary files are handled by the libqb. 

1. Predictable file names are used in the world writeable directories namely /dev/shm and /tmp.
2. O_EXCL flag is not used when creating temp files.

This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Most likely attack scenario is when a privileged program linked against libqb uses temp files. Due to the race-condition it is possible that the attacker could overwrite arbitrary system files.

Patch:

https://github.com/ClusterLabs/libqb/commit/e322e98dc264bc5911d6fe1d371e55ac9f95a71e
https://github.com/ClusterLabs/libqb/commit/7cd7b06d52ac80c343f362c7e39ef75495439dfc
Comment 13 Jan Pokorný [poki] 2019-06-07 19:13:50 UTC 
Re [comment 6]: as instructed, asked for a CVE from MITRE.
Will report back here.
Comment 14 Jan Pokorný [poki] 2019-06-08 05:37:22 UTC 
This has been assigned CVE-2019-12779.
Comment 15 errata-xmlrpc 2019-11-05 21:18:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3610 https://access.redhat.com/errata/RHSA-2019:3610
Comment 16 Product Security DevOps Team 2019-11-06 00:52:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12779
Comment 17 errata-xmlrpc 2020-03-31 19:33:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1189 https://access.redhat.com/errata/RHSA-2020:1189
Comment 18 Huzaifa S. Sidhpurwala 2020-04-21 07:02:36 UTC 
*** Bug 1714855 has been marked as a duplicate of this bug. ***