Bug 498648 (CVE-2009-1631)

Summary:	CVE-2009-1631 evolution: insecure permissions on evolution mailbox folders
Product:	[Other] Security Response	Reporter:	Vincent Danen <vdanen>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	bressers, jlieskov, mbarnes
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-12-04 18:21:33 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-05-01 16:30:23 UTC

A Debian bug report [1] brought to light the fact that Evolution does not
create its data files with appropriate permissions.  Because of this, if user A
on a system uses Evolut ion for email, user B can read any of user A's email.
The default permissions for ~/.evolution is 0755, and the default permissions
for Evolution data files is 0644 (although s trangely enough the default
permissions for .index* files is 0600).

As well, by default in Fedora and RHEL5, a user's home directory has mode 0755 permissions. 

By contrast, Firefox creates ~/.mozilla/firefox as mode 0700, protecting user bookmarks and caches.

Evolution should probably create/enforce ~/.evolution being mode 0700.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409

Comment 1 Jan Lieskovsky 2009-05-14 17:42:46 UTC

CVE-2009-1631:

The Mailer component in Evolution 2.26.1 and earlier uses
world-readable permissions for the .evolution directory, and certain
directories and files under .evolution/ related to local mail, which
allows local users to obtain sensitive information by reading these
files. 

Upstream report:
http://bugzilla.gnome.org/show_bug.cgi?id=581604

Comment 2 Matthew Barnes 2009-05-18 14:56:01 UTC

I'm not really convinced this is a security issue.  Once you open up your home directory to other users the game's over.  They can just as easily read personal financial spreadsheets or other sensitive data as they can my mail.

Comment 3 Vincent Danen 2009-05-19 16:55:00 UTC

Note that the defaults in RHEL5 and Fedora are to create home directories mode 0755, so this is an issue by default.  This isn't a user opening up their home directory; we create them opened up.

This probably wouldn't be an issue if home directories were mode 0700 by default and then the user had to relax permissions manually, but since we do this for them, I would consider it a security issue.

Comment 4 Vincent Danen 2009-05-26 17:59:53 UTC

Hmmm... I'm looking into this further and I may be mistaken, but I can't account for why some of my home directories are mode 0755 on various systems.  Taking a look at using useradd on RHEL3, 4, and 5 shows new users have home directories mode 0700 by default, and likewise on Fedora 11.  On a Fedora 10 install where the home directory was mode 0755, using useradd and also system-config-user to create a new user creates them with mode 0700 permissions.

So I agree with Matthew on this issue, it's not a security issue by default and if a user intentionally opens up their home directory, they should take care to chmod 700 ~/.evolution/ if they want to keep the data private.

This may make for a good enhancement for future Evolution packages or, better yet, something that upstream would take into account (since some files are protected while others are not).  Activity on the upstream bug report is non-existent.

Comment 6 Matthew Barnes 2009-05-26 20:19:50 UTC

(In reply to comment #4)
> This may make for a good enhancement for future Evolution packages or, better
> yet, something that upstream would take into account (since some files are
> protected while others are not).  Activity on the upstream bug report is
> non-existent.  

Certainly it's a valid bug.  We should be creating ~/.evolution with 0700 permissions.  Not sure if it's worth enforcing this for existing installs.

I'm an upstream maintainer, so I'll try to get this taken care of for the next upstream stable and development releases.

Comment 7 Vincent Danen 2009-05-26 22:02:59 UTC

Yeah, I think on Evolution's first run it would probably be enough to create ~/.evolution as 0700 and maybe do permission checks on startup or something to enforce it.  I don't believe it's necessary to drill down and set umasks or anything (as suggested in the Debian bug report).

And no, I agree that this may not be worth the effort for existing installs as a mode 0755 home directory should not be default.  At the very best this is a low impact issue, and we could possibly defer it for future inclusion in an Evolution update if upstream agrees this is the way to go.

Thanks, Matthew.

Comment 11 Vincent Danen 2009-12-04 18:21:33 UTC

Red Hat does not consider this to be a security issue.  By default, user home directories are created with mode 0700 permissions, which would not expose the ~/.evolution/ directory regardless of its own permissions.  If a user intentionally relaxes permissions on their home directory, they should be auditing all files and directories in order to not expose unwanted files to other local users.