Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-4480 mom: world-writable PID file [fedora-all]|
|Product:||[Fedora] Fedora||Reporter:||Florian Weimer <fweimer>|
|Component:||mom||Assignee:||Adam Litke <alitke>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Target Milestone:||---||Keywords:||Security, SecurityTracking|
|Fixed In Version:||Doc Type:||Release Note|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-12-20 10:50:44 EST||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||863126, 863486|
Description Florian Weimer 2012-10-04 11:38:32 EDT
daemonize in src/momd calls os.umask(0) when creating the daemon process. As a result, the PID file is world-writable. This dates back to incorrect example code in APUE. It's probably best to just drop the umask call.
Comment 1 Vincent Danen 2012-10-04 13:38:50 EDT
This is indeed a security concern. I'll be filing a CVE bug for this. Adam, am I correct in assuming that you are upstream for mom? I don't believe this will require much of an embargo; it's quite trivial to fix (removing os.umask() is sufficient to fix it). I will, however, file our CVE bug as an embargoed bug for the time being, until we've heard back from you as to how you would to handle it.
Comment 2 Adam Litke 2012-10-04 14:00:51 EDT
Hi. Yes, I am upstream for MOM. I can remove the umask call upstream. How should we propagate the fix into Fedora? I can just release a new upstream version which I had been planning to do soon anyway. Is that okay?
Comment 4 Vincent Danen 2012-10-05 11:01:17 EDT
Thanks, Adam. Can you reference the CVE in any changelogs (maybe change the git commit)? The CVE assigned is CVE-2012-4480.
Comment 5 Vincent Danen 2012-10-05 11:06:15 EDT
(In reply to comment #2) > Hi. Yes, I am upstream for MOM. I can remove the umask call upstream. How > should we propagate the fix into Fedora? I can just release a new upstream > version which I had been planning to do soon anyway. Is that okay? A new upstream version with the fix would be a fine way to resolve this.
Comment 6 Vincent Danen 2012-10-05 11:10:44 EDT
I'm making this bug public and into a tracking bug now that the commit is already public. Adam, please note that we would desire the fix in all supported versions of Fedora; it also seems that EPEL6 provides mom as well (although that will get a separate tracking bug).
Comment 7 Fedora Update System 2012-10-05 17:01:56 EDT
mom-0.3.0-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc17
Comment 8 Fedora Update System 2012-10-05 17:03:41 EDT
mom-0.3.0-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc18
Comment 9 Fedora Update System 2012-10-05 17:04:40 EDT
mom-0.3.0-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/mom-0.3.0-1.el6
Comment 10 Fedora Update System 2012-10-05 23:46:58 EDT
Package mom-0.3.0-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mom-0.3.0-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15496/mom-0.3.0-1.fc17 then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 10:50:49 EST
mom-0.3.0-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.