Bug 875842 (CVE-2012-5530)

Summary: CVE-2012-5530 pcp: Insecure temporary file use flaws
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fche, jrusnack, mattn, mcermak, mfranc, mgoodwin, nathans, security-response-team, tdohnale, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-20 12:06:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 876533, 877983, 877984    
Bug Blocks: 876530    
Attachments:
Description Flags
Preliminary form of proposed patch created by David Disseldorp of SUSE
none
Archive with updated patches
none
Fix a minor regression introduced in pcp(1) command from original tmpfile fixes
none
Close possible races in scripted creation of pcp temp dirs by having packages create them none

Description Jan Lieskovsky 2012-11-12 16:28:10 UTC
A security flaw was found in the way Performance Co-Pilot (PCP), a framework and services to support system-level performance monitoring and performance management, performed management of its temporary files used by various services from the suite. A local attacker could use this flaw to conduct symbolic link attacks (alter or remove different system files, accessible with the privileges of the user running the PCP suite, than it was originally intended).

References:
[1] https://bugzilla.novell.com/show_bug.cgi?id=782967 (private)

Comment 2 Jan Lieskovsky 2012-11-12 16:32:28 UTC
Preliminary embargo date for this issue has been set up to this Friday, 2012-11-16.

Comment 3 Jan Lieskovsky 2012-11-12 16:34:44 UTC
Acknowledgements:

Red Hat would like to thank SUSE Security Team for reporting this issue. SUSE Security Team acknowledges Thomas Biege of SUSE as the original issue reporter.

Comment 4 Jan Lieskovsky 2012-11-13 10:24:16 UTC
Created attachment 644042 [details]
Preliminary form of proposed patch created by David Disseldorp of SUSE


Note: Might not be complete. Subsequent versions (if any) will be attached here too as soon as we have received them.

Comment 6 Jan Lieskovsky 2012-11-14 10:31:24 UTC
Created attachment 644747 [details]
Archive with updated patches

Comment 8 Nathan Scott 2012-11-16 09:39:10 UTC
FYI - discussing the patches further with David (ddiss at suse - original fix author) we have identified one further fix and a regression in his original fixes.  Both will be attached shortly.  David has these too now, but perhaps they should be send out to any other distributors.

With these, the PCP testsuite is looking in fairly good shape at this stage.

cheers.

--
Nathan

Comment 9 Nathan Scott 2012-11-16 09:40:44 UTC
Created attachment 646265 [details]
Fix a minor regression introduced in pcp(1) command from original tmpfile fixes

Comment 10 Nathan Scott 2012-11-16 09:45:11 UTC
Created attachment 646266 [details]
Close possible races in scripted creation of pcp temp dirs by having packages create them

Comment 11 Jan Lieskovsky 2012-11-16 10:53:47 UTC
(In reply to comment #8)
> FYI - discussing the patches further with David (ddiss at suse - original
> fix author) we have identified one further fix and a regression in his
> original fixes.  Both will be attached shortly.  David has these too now,
> but perhaps they should be send out to any other distributors.

Thank you for pointing out, Nathan. Do you possibly know from David if he has contacted the SUSE Security Team to re-send the patches? Or is Red Hat Security Response Team expected to do that? Can you clarify either of the options?

> 
> With these, the PCP testsuite is looking in fairly good shape at this stage.
> 
> cheers.
> 
> --
> Nathan

Thank you, Jan.

Comment 12 Nathan Scott 2012-11-16 22:39:32 UTC
David has definitely contacted the SUSE security folks - was just CC'd on their latest patchset and it includes these two fixes now (was also CC'd to members of the SUSE security team).  AIUI there is no expectation that the Red Hat security team will need to propogate any patches (I will confirm that with them too).

My current understanding is that SUSE will provide their full patch series, and I'll be doing the upstream merging (and a pcp-3.6.10 release) which includes all these patches, and also the devtoolset and Fedora updates on Monday (19th Nov).

cheers.

--
Nathan

Comment 13 Jan Lieskovsky 2012-11-19 11:12:50 UTC
Public via:
  https://bugzilla.novell.com/show_bug.cgi?id=782967

Comment 14 Jan Lieskovsky 2012-11-19 11:15:33 UTC
Created pcp tracking bugs for this issue

Affects: fedora-all [bug 877983]
Affects: epel-all [bug 877984]

Comment 16 Fedora Update System 2012-11-23 02:53:55 UTC
pcp-3.6.10-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2012-11-23 03:14:22 UTC
pcp-3.6.10-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2012-11-23 07:15:20 UTC
pcp-3.6.10-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-01-02 19:08:22 UTC
pcp-3.6.10-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2013-01-04 19:42:11 UTC
pcp-3.6.10-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.