Bug 998227 (CVE-2013-4260)
Summary: | CVE-2013-4260 ansible: predictible filename used for failed result in world writable directory | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael S. <misc> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | athmanem, kevin, maxim, security-response-team, tbielawa, vdanen, vkrizan | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-09-05 22:48:26 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 999621, 999626 | ||||||
Bug Blocks: | 998712 | ||||||
Attachments: |
|
Description
Michael S.
2013-08-18 12:17:28 UTC
Created attachment 787776 [details]
patch to use a different directory and check the permission after
Here is a patch that should fix the problem, I quickly tested and seems to be resilient enough. I may have forgot something about symlinks however, so a review would be welcome.
Why not use tempfile.mkdtemp? http://docs.python.org/2/library/tempfile.html#tempfile.mkdtemp So something like this: #!/usr/bin/env python import tempfile import os f = tempfile.mkdtemp(prefix='foo', dir='/tmp') try: os.rename(f, '/tmp/foo') except OSError: print 'Unable to rename directory!' os.rmdir(f) Probably better exception handling to see if the /tmp/foo directory is valid and owned by that user first, but for the actual creation, mkdtemp() will do so securely and os.rename will do so atomically. Acknowledgements: Red Hat would like to thank Michael Scherer for reporting this issue. I can hardly see how/where there is a need to create the directory in a atomic fashion in the first place, and since check (if the directory /tmp/foo exist and is suitable ) and rename would not be atomic, then we would have a race condition. If someone create it between the time I check and the time I create the dir, the makedir will fail, and so directory is not used. And the owner wil be incorrect, since user cannot make chown to give file ( unless people have been playing with CAP_CHOWN but i will count that as "unlikely" ) Since the code is supposed to be able to fail, it is better to use this possibility in case of problem. But we will see the opinion of upstream. Upstream release with fixes announced: https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg Can we unembargo and setup updates bugs links for the updates? Thanks. Created ansible tracking bugs for this issue: Affects: fedora-all [bug 999621] Affects: epel-6 [bug 999626] ansible-1.2.3-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. ansible-1.2.3-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |