Bug 1714855

Summary: libqb: privileged IPC client naively prone to truncating/deleting semi-arbitrary files even if otherwise protected from an unprivileged IPC server
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew, ccaulfie, cfeist, cluster-maint, dvossel, hvyas, jfriesse, jpokorny, kgaillot, puebele, security-response-team, sisharma, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-21 07:02:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1695950    

Description Huzaifa S. Sidhpurwala 2019-05-29 04:28:18 UTC 
A flaw was found in libqb in which a privileged client application linked against libqb could overwrite arbitrary files it has access to with at least partially attacker controlled data which could cause the following consequences:

- either such arbitrary file can be intentionally shrunk from original, bigger size (allowing an attacker to refine the granularity for some other brute-force extraction of the original file content, for instance, when combine with an issue akin to CVE-2013-4209.

- or such file can be blown from its original size possibly causing DoS (due to limited storage capacity), unless the underlying FS support sparse files (?)
Comment 1 Huzaifa S. Sidhpurwala 2019-05-29 04:28:28 UTC 
Acknowledgments:

Name: Jan Pokorný (Red Hat)
Comment 4 Huzaifa S. Sidhpurwala 2020-04-21 07:02:36 UTC 

*** This bug has been marked as a duplicate of bug 1695948 ***