Bug 476529 (CVE-2008-6755)

Summary: CVE-2008-6755 zoneminder: default permissions of zm.conf
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: zoneminderAssignee: Martin Ebourne <fedora>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: fedora, j
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-07 09:26:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-12-15 13:22:38 UTC 
While checking Gentoo bug:

  http://bugs.gentoo.org/show_bug.cgi?id=250715

I noticed that zoneminder in Fedora defaults to apache:apache 600 for /etc/zm.conf.  Therefore, Fedora defaults does now allow reading the config file directly using cat or vim.  chmod o-r is probably not much of a fix in setups where local users can run own php or cgi scripts with web server privileges.

However, in such setups, Fedora default seems even worse, as any php or cgi can actually modify the config (and at least break DB connectivity).

In similar cases, where some daemon user needs read access to certain config file, root:<daemon_group> 640 is more common.  Please check if changing:

%config(noreplace) %attr(600,%{zmuid_final},%{zmgid_final}) %{_sysconfdir}/zm.conf

to

%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm.conf

makes sense for ZM.
Comment 1 Fedora Update System 2008-12-15 21:47:40 UTC 
zoneminder-1.23.3-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/zoneminder-1.23.3-2.fc10
Comment 2 Fedora Update System 2008-12-21 08:46:57 UTC 
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zoneminder'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11484
Comment 3 Fedora Update System 2009-01-07 09:26:35 UTC 
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Vincent Danen 2009-04-27 22:08:33 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6755 to
the following vulnerability:

Name: CVE-2008-6755
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6755
Assigned: 20090427
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=476529
Reference: FEDORA:FEDORA-2008-11484
Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00204.html

ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to
the apache user account, and sets the permissions to 0600, which makes
it easier for remote attackers to modify this file by accessing it
through a (1) PHP or (2) CGI script.