Bug 676367 (CVE-2011-3616)
| Summary: | CVE-2011-3616 conky: arbitrary file overwrite vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jlieskov, mlichvar, pertusus |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-11 04:07:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 676368 | ||
| Bug Blocks: | |||
Created conky tracking bugs for this issue Affects: fedora-all [bug 676368] Fedora conky packages are compiled without eve support. Ah, yes, it is. Sorry about that. ./configure is missing --with-eve indeed. Thanks, I'll close the bugs. The CVE identifier of CVE-2011-3616 has been assigned: [4] http://www.openwall.com/lists/oss-security/2011/10/10/8 to this issue. |
A Debian bug report [1],[2] indicated that conky is vulnerable to an arbitrary file overwrite flaw. In the getSkillname() function of the Eve plugin, there is a race condition between when the plugin checks for the existence of /tmp/.cesf and when it writes to the file, easily beaten because getXmlFromAPI() is called in between (which can take time due to network latency, etc.). If a user were able to beat the race and create a symlink of /tmp/.cesf to any file the user running conky had write access to, they could overwrite the contents of that file. In src/eve.c we have: 275 static char *getSkillname(const char *file, int skillid) 276 { ... 283 if (!file_exists(file)) { 284 skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); 285 writeSkilltree(skilltree, file); 286 free(skilltree); 287 } ... 337 static char *eve(char *userid, char *apikey, char *charid) 338 { 339 Character *chr = NULL; 340 const char *skillfile = "/tmp/.cesf"; ... 400 skill = getSkillname(skillfile, chr->skill); The Debian bug report has a propsed patch [3]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033 [2] https://bugs.launchpad.net/ubuntu/+source/conky/+bug/607309 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033#10