Bug 542688

Summary: bltk will run any command as root
Product: [Fedora] Fedora Reporter: Matthew Garrett <mjg>
Component: bltkAssignee: Jiri Skala <jskala>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 12CC: aglotov, bressers, jfeeney, security-response-team, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bltk-1.0.8-3.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-18 22:32:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sudoectomy none

Description Matthew Garrett 2009-11-30 15:05:59 UTC 
/usr/lib/bltk/bin/bltk_sudo is suid root and will run any application as root without performing any sort of authentication. This functionality is used minimally in the code - I'll produce a patch shortly.

/usr/lib/bltk/bin/bltk_sudo /bin/bash
#
Comment 1 Matthew Garrett 2009-11-30 15:48:18 UTC 
Created attachment 374787 [details]
sudoectomy

This (against git head) removes all the sudo functionality. Untested, will limit some of the output, ought to work.
Comment 2 Jiri Skala 2009-12-11 08:35:59 UTC 
I modified the patch - usage of hdparm is replaced with devkit-disks to be kept functionality.
Comment 3 Vincent Danen 2009-12-11 16:42:00 UTC 
I see an update submitted for Fedora testing.  Should this bug be opened up?  Have we reported this upstream?  What about a CVE name?  I also assume this affects Fedora 11?  Thanks for any info before approving it.
Comment 4 Matthew Garrett 2009-12-11 16:46:47 UTC 
Bug has been submitted upstream. No CVE has been assigned. It also affects F11.
Comment 5 Vincent Danen 2009-12-11 17:07:27 UTC 
I'm assuming upstream has not requested an embargo of any sort, if we're pushing updates now?  Or has this been fixed upstream already in a public repository?  Hard to tell looking at the website as it lists 1.0.8 as the latest version for download, but we have 1.0.9 in Fedora 12 so it looks out-dated.
Comment 6 Jiri Skala 2009-12-14 07:51:26 UTC 
F11 version is currently unstable. There is some issue that freezes system. This has appeared without bltk changes. I have to investigate it. This is main reason why the patch is not backported to F11 (already preapred).

Jiri
Comment 7 Vincent Danen 2009-12-14 15:33:54 UTC 
Sure, but the question was whether or not this was public upstream already.  I'm unable to tell that from their website.  If it is public, we should bring it up on oss-security and request a CVE name so other vendors can correct this as well.

Thanks.
Comment 8 Jiri Skala 2009-12-21 09:06:50 UTC 
(In reply to comment #7)
> Sure, but the question was whether or not this was public upstream already. 
> I'm unable to tell that from their website.  If it is public, we should bring
> it up on oss-security and request a CVE name so other vendors can correct this
> as well.
> 
> Thanks.  

I've sent my changes in Matthew's patch to upstream + info about your comment + link to this bug.

Jiri
Comment 9 Vincent Danen 2009-12-24 22:30:37 UTC 
Does upstream have a bugzilla or anything where this would have been reported and/or made public already (to ensure they have had time to have it corrected prior to pushing our Fedora update)?  Has upstream responded to your mail, etc?

Thanks.
Comment 10 Jiri Skala 2010-01-02 20:36:25 UTC 
The upstream doesn't have any bugzilla afaik. The package has crossed border of original intention. This documents their reaction:

"Originally BLTK was only meant to be used in a test environment and not on production machine so the security was a bit laxed."

They have sources in git. I have access to latest sources. Upstream is active they respond quickly. They are working on actualisation of sources and integration this bug fix.
Comment 11 Vincent Danen 2010-01-04 22:35:13 UTC 
Is the fix public?  If so, then the fedora update can go out.  If not, we need to keep sitting on it until it is.  Please advise.  Thanks.
Comment 12 Tomas Hoger 2010-01-19 10:16:00 UTC 
Can the update be pushed or not?
Comment 13 Vincent Danen 2010-01-22 18:03:57 UTC 
Jiri: can this update be pushed yet?  It's been sitting in the queue.  While I would like to respect upstream, without any public information it's hard to know whether they have made this information available or not, whether it's fixed or not, etc.  Can you ask whether or not they have any objection to us letting the Fedora update go through?  It's been sitting in the queue for 42 days now.

Thanks.
Comment 14 Tomas Hoger 2010-01-27 15:40:17 UTC 
Opening bug.  Jiri notified upstream, further embargo was not requested.
Comment 15 Fedora Update System 2010-01-29 03:33:38 UTC 
bltk-1.0.9-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Matthew Garrett 2010-02-01 22:29:24 UTC 
As noted in comment 4, this also affects F11.
Comment 17 Fedora Update System 2010-02-16 19:52:34 UTC 
bltk-1.0.8-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bltk-1.0.8-3.fc11
Comment 18 Fedora Update System 2010-02-18 22:32:45 UTC 
bltk-1.0.8-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.