Bug 863178

Summary: CVE-2012-4480 mom: world-writable PID file [fedora-all]
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: momAssignee: Adam Litke <alitke>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: security-response-team
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:50:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 863126, 863486    

Description Florian Weimer 2012-10-04 15:38:32 UTC 
daemonize in src/momd calls os.umask(0) when creating the daemon process.  As a result, the PID file is world-writable.

This dates back to incorrect example code in APUE.  It's probably best to just drop the umask call.
Comment 1 Vincent Danen 2012-10-04 17:38:50 UTC 
This is indeed a security concern.  I'll be filing a CVE bug for this.

Adam, am I correct in assuming that you are upstream for mom?

I don't believe this will require much of an embargo; it's quite trivial to fix (removing os.umask() is sufficient to fix it).

I will, however, file our CVE bug as an embargoed bug for the time being, until we've heard back from you as to how you would to handle it.
Comment 2 Adam Litke 2012-10-04 18:00:51 UTC 
Hi.  Yes, I am upstream for MOM.  I can remove the umask call upstream.  How should we propagate the fix into Fedora?  I can just release a new upstream version which I had been planning to do soon anyway.  Is that okay?
Comment 3 Adam Litke 2012-10-04 21:52:39 UTC 
Fix comitted: http://gerrit.ovirt.org/#/c/8366/
Comment 4 Vincent Danen 2012-10-05 15:01:17 UTC 
Thanks, Adam.  Can you reference the CVE in any changelogs (maybe change the git commit)?  The CVE assigned is CVE-2012-4480.
Comment 5 Vincent Danen 2012-10-05 15:06:15 UTC 
(In reply to comment #2)
> Hi.  Yes, I am upstream for MOM.  I can remove the umask call upstream.  How
> should we propagate the fix into Fedora?  I can just release a new upstream
> version which I had been planning to do soon anyway.  Is that okay?

A new upstream version with the fix would be a fine way to resolve this.
Comment 6 Vincent Danen 2012-10-05 15:10:44 UTC 
I'm making this bug public and into a tracking bug now that the commit is already public.

Adam, please note that we would desire the fix in all supported versions of Fedora; it also seems that EPEL6 provides mom as well (although that will get a separate tracking bug).
Comment 7 Fedora Update System 2012-10-05 21:01:56 UTC 
mom-0.3.0-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc17
Comment 8 Fedora Update System 2012-10-05 21:03:41 UTC 
mom-0.3.0-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc18
Comment 9 Fedora Update System 2012-10-05 21:04:40 UTC 
mom-0.3.0-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.el6
Comment 10 Fedora Update System 2012-10-06 03:46:58 UTC 
Package mom-0.3.0-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mom-0.3.0-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15496/mom-0.3.0-1.fc17
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 15:50:49 UTC 
mom-0.3.0-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.