Bug 879094 (CVE-2012-5561)
| Summary: | CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bkearney, cpelland, daviddavis, gkhachik, jomara, katello-bugs, mmccune, omaciel, security-response-team, sthirugn |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-23 13:17:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 878888, 888941, 908429 | ||
| Bug Blocks: | 879097, 883745, 892883, 906638 | ||
|
Description
Kurt Seifried
2012-11-22 03:27:57 UTC
/etc/katello/secure/passphrase is created by: /usr/share/katello/script/katello-generate-passphrase which is a bash script, specifically at the end: ----- FILE=/etc/katello/secure/passphrase [ $FORCE -eq 0 -a -f $FILE ] && \ echo "Passphrase file was already generated, you can only generate once" && exit 1 PASS=$(</dev/urandom tr -dc A-Za-z0-9 | head -c 64) echo "$PASS" > $FILE ----- Acknowledgements: This issue was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering team. Fixing this by creating a "katello_shared" group that users tomcat & katello are added to. This file is then made group readable. Example: [root@cersei ~]# ll /etc/katello total 52 ... drwxr-x---. 2 root katello_shared 4096 Jan 3 16:48 secure .. [root@cersei ~]# ll /etc/katello/secure total 4 -rw-rw----. 1 root katello_shared 65 Jan 3 16:48 passphrase pull request submitted upstream: https://github.com/Katello/katello/pull/1349 Just to confirm, katello_shared has been changed to katello-shared (hyphen instead of underscore) which is the more normal case. [root@tigger ~]# ll /etc/katello | grep secure drwxr-xr-x. 2 root root 4096 Jan 31 12:29 secure [root@tigger ~]# ll /etc/katello/secure total 4 -rw-r--r--. 1 root root 65 Jan 31 12:29 passphrase [root@tigger ~]# grep katello /etc/group katello:x:182:tomcat,qpidd,apache CFSE 1.1.2: * candlepin-0.7.19-3.el6cf.noarch * candlepin-selinux-0.7.19-3.el6cf.noarch * candlepin-tomcat6-0.7.19-3.el6cf.noarch * elasticsearch-0.18.4-11.el6.noarch * katello-1.1.12.2-1.el6cf.noarch * katello-all-1.1.12.2-1.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-14.el6cf.noarch * katello-cli-common-1.1.8-14.el6cf.noarch * katello-common-1.1.12.2-1.el6cf.noarch * katello-configure-1.1.9-13.el6cf.noarch * katello-glue-candlepin-1.1.12.2-1.el6cf.noarch * katello-glue-pulp-1.1.12.2-1.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-2.el6cf.noarch * pulp-1.1.15-1.el6cf.noarch * pulp-common-1.1.15-1.el6cf.noarch * pulp-selinux-server-1.1.15-1.el6cf.noarch 2013-01-31 14:53:14 < jomara> omaciel: hmm, what version of the software? where? 2013-01-31 14:53:57 < omaciel> jomara: https://bugzilla.redhat.com/show_bug.cgi?id=879094#c7 2013-01-31 14:54:32 < jomara> * candlepin-0.7.19-3.el6cf.noarch 2013-01-31 14:54:40 < jomara> aint that old 2013-01-31 14:54:53 < omaciel> it's what we're shipping with 1.1.2 2013-01-31 14:55:03 < jomara> ok 2013-01-31 14:55:07 < jomara> well, that shouldnt matter really 2013-01-31 14:55:22 < jomara> katello-selinux-1.2.1-2h.el6_3 sam-1.2-rhel-6-candidate jomara 2013-01-31 14:55:28 < jomara> * katello-selinux-1.1.1-2.el6cf.noarch 2013-01-31 14:55:30 < jomara> THERES THE BOTTLENECK 2013-01-31 14:56:08 < omaciel> jomara: do we have the wrong version of katello-selinux? 2013-01-31 14:56:12 < jomara> yes 2013-01-31 14:56:13 < jomara> you do Verified in version: * candlepin-0.7.23-1.el6_3.noarch * candlepin-cert-consumer-cloud-qe-8.idm.lab.bos.redhat.com-1.0-1.noarch * candlepin-tomcat6-0.7.23-1.el6_3.noarch * elasticsearch-0.19.9-5.el6_3.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.2.1-1h.el6_3.noarch * katello-cli-1.2.1-12h.el6_3.noarch * katello-cli-common-1.2.1-12h.el6_3.noarch * katello-common-1.2.1-15h.el6_3.noarch * katello-configure-1.2.3-3h.el6_3.noarch * katello-glue-candlepin-1.2.1-15h.el6_3.noarch * katello-headpin-1.2.1-15h.el6_3.noarch * katello-headpin-all-1.2.1-15h.el6_3.noarch * katello-selinux-1.2.1-2h.el6_3.noarch * thumbslug-0.0.28-1.el6_3.noarch * thumbslug-selinux-0.0.28-1.el6_3.noarch Output: # ll /etc/katello|grep secure drwxr-x---. 2 root katello-shared 4096 Feb 6 10:23 secure # ll /etc/katello/secure total 4 -rw-rw----. 1 root katello-shared 65 Jan 28 16:09 passphrase # grep katello /etc/group katello:x:182:tomcat,apache,thumbslug katello-shared:x:496:katello,tomcat This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2013:0547 https://rhn.redhat.com/errata/RHSA-2013-0547.html This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.2 Via RHSA-2013:0544 https://rhn.redhat.com/errata/RHSA-2013-0544.html |