Bug 1016960 - (CVE-2013-4419) CVE-2013-4419 libguestfs: insecure temporary directory handling for guestfish's network socket
CVE-2013-4419 libguestfs: insecure temporary directory handling for guestfish...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131017,repor...
: Security
Depends On: 1019503 1019737 1020535 1020950
Blocks: 974906 1016967
  Show dependency treegraph
 
Reported: 2013-10-09 00:01 EDT by Murray McAllister
Modified: 2016-04-25 15:52 EDT (History)
14 users (show)

See Also:
Fixed In Version: libguestfs 1.20.12, libguestfs 1.22.7, libguestfs 1.24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-22 01:19:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
fish: Use UNIX_PATH_MAX instead of hard-coded value for max length of socket (895 bytes, patch)
2013-10-09 07:28 EDT, Richard W.M. Jones
no flags Details | Diff
fish: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960). (3.21 KB, patch)
2013-10-09 07:29 EDT, Richard W.M. Jones
no flags Details | Diff
fish: Move the guestfish socket from /tmp/.guestfish-$UID to /run/user/$UID. (1.54 KB, patch)
2013-10-09 07:31 EDT, Richard W.M. Jones
no flags Details | Diff
fish: CVE-2013-4419: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960). (4.95 KB, patch)
2013-10-11 07:36 EDT, Richard W.M. Jones
no flags Details | Diff

  None (edit)
Description Murray McAllister 2013-10-09 00:01:26 EDT
libguestfs is a library for accessing and modifying guest disk images. It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode (using the "--listen" option). If guestfish were run with the "--listen" option, a local attacker could use this flaw to intercept and modify other users' guestfish commands, allowing them to perform arbitrary guestfish actions (such as modifying virtual machines) with the privileges of a different user, or use this flaw to obtain authentication credentials.

Acknowledgements:

This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
Comment 3 Richard W.M. Jones 2013-10-09 07:28:30 EDT
Created attachment 809855 [details]
fish: Use UNIX_PATH_MAX instead of hard-coded value for max length of socket

Semi-related code cleanup.
Comment 4 Richard W.M. Jones 2013-10-09 07:29:50 EDT
Created attachment 809857 [details]
fish: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960).

This is the meat of the fix: check that the directory
that we create (a) is a directory (b) has the right mode
(c) has the right owner.
Comment 5 Richard W.M. Jones 2013-10-09 07:31:55 EDT
Created attachment 809858 [details]
fish: Move the guestfish socket from /tmp/.guestfish-$UID to /run/user/$UID.

I'm probably not going to apply this third part because:

- Can we be sure that /run/user/$UID always has mode 0700?

- /run/user is entirely missing on Debian Wheezy

- It seems to be safe to create the socket in /tmp now that
  we're doing all the checks -- the worst that could happen
  is a poor denial of service attack by a local user who is
  immediately visible.
Comment 6 Richard W.M. Jones 2013-10-09 07:34:14 EDT
BTW I'm happy to publish this fix as soon as possible.  It is
low impact.
Comment 11 Michael Scherer 2013-10-09 18:25:52 EDT
To answer comment #5, what about using $XDG_RUNTIME_DIR ( cf man pam_systemd, this is "Path to a user-private user-writable directory that is bound to the user login time on the machine" ), and fall back to /tmp if it doesn't exist ?

( with $XDG_RUNTIME_DIR being /run/user/$uid/ , as set by the pam module )

This will cover the case of non-systemd system, ie debian wheezy among other, while still using proper directory for newer system, and this could be cleaned later once we decide to stop supporting older system ?
Comment 18 Richard W.M. Jones 2013-10-11 07:36:37 EDT
Created attachment 811007 [details]
fish: CVE-2013-4419: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960).

Version 2 of proposed patch.

Note also that "fish: Use UNIX_PATH_MAX instead of hard-coded value
for max length of socket" which is really an unrelated code cleanup
has gone upstream already.
Comment 25 Richard W.M. Jones 2013-10-17 05:26:39 EDT
FYI the public announcement is going out today at 12:00 UTC, unless
anyone says otherwise in ~ the next 3 hours ...
Comment 26 Richard W.M. Jones 2013-10-17 08:01:29 EDT
This issue is now public:
https://www.redhat.com/archives/libguestfs/2013-October/msg00031.html
Comment 27 Tomas Hoger 2013-10-17 16:56:18 EDT
Created libguestfs tracking bugs for this issue:

Affects: fedora-all [bug 1020535]
Comment 29 Vincent Danen 2013-10-18 11:14:41 EDT
Created libguestfs tracking bugs for this issue:

Affects: epel-5 [bug 1020950]
Comment 30 Fedora Update System 2013-10-26 23:58:49 EDT
libguestfs-1.20.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2013-10-26 23:59:58 EDT
libguestfs-1.22.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2013-10-27 01:32:50 EDT
libguestfs-1.22.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2013-10-27 01:34:31 EDT
libguestfs-1.20.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2013-11-10 01:52:13 EST
libguestfs-1.24.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 errata-xmlrpc 2013-11-20 23:47:10 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1536 https://rhn.redhat.com/errata/RHSA-2013-1536.html
Comment 39 Fedora Update System 2016-04-25 15:52:41 EDT
libguestfs-1.20.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.