Bug 1919933 (CVE-2020-8025)
| Summary: | CVE-2020-8025 pcp: Insecure permission of /var/lib/pcp/tmp/ directories on SUSE | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agerstmayr, jkurik, mgoodwin, nathans, patrickm, pcp-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-31 23:25:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1919937 | ||
| Bug Blocks: | 1919935 | ||
|
Description
Dhananjay Arunesh
2021-01-25 12:14:04 UTC
Created pcp tracking bugs for this issue: Affects: fedora-all [bug 1919937] What is the "permissions package" in this context? From minimal google-ing, is it this...?
https://software.opensuse.org/package/permissions
This package does not exist on Fedora or RHEL, AFAICT?
I'm not aware of any "permissions" package in Fedora, can you point me to it? afaics this CVE affects the https://github.com/openSUSE/permissions package, and this bug was fixed in https://github.com/openSUSE/permissions/commit/2a9b42a535a91e733e3efafdb28edf7499ab53ba To me it looks like this package is only available for SuSE, and hence Fedora is not affected by this CVE. A similar package is https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/pcp.fc, but that configuration seems right regarding /var/lib/pcp. As discussed in the two previous comments, this appears to have been opened in error - the package with the problem does not exist in either Fedora or RHEL. Please feel free to re-open if this is incorrect or new information comes to light. In reply to comment #2: > What is the "permissions package" in this context? From minimal google-ing, > is it this...? > > https://software.opensuse.org/package/permissions > > This package does not exist on Fedora or RHEL, AFAICT? Edited the comments0 with new update: A vulnerability was found where the Base:System/permissions package could provide weaker than expected security, caused by an incorrect execution-assigned permissions flaw. An attacker could exploit this vulnerability to launch further attacks on the system Let me know if you need any more information. (In reply to Dhananjay Arunesh from comment #5) > [...] > Let me know if you need any more information. We can't find any such package in Fedora/RHEL ... and certainly no reason for this BZ to have been assigned to pcp component. It looks like a SUSE-specific issue AFAICT. The important part of the CVE information that has not been propagated to this bug is the link to the relevant SUSE bug report: https://bugzilla.suse.com/show_bug.cgi?id=1171883 That bug explains that in a non-default configuration of SUSE Linux permissions of the directory /var/lib/pcp/tmp/ and certain of its subdirectories can be overridden to more permissive root:root 1777, i.e. world writable with a sticky bit, similar to what's used for /tmp or /var/tmp. The following comment has some notes on the possible impact: https://bugzilla.suse.com/show_bug.cgi?id=1171883#c21 As noted in the comments above, this problem is specific to how pcp is packages in SUSE distributions and is not applicable to Red Hat Enterprise Linux or Fedora. |