Bug 1183151 (CVE-2015-0233) - CVE-2015-0233 389-admin: multiple /tmp/ file vulnerabilities
Summary: CVE-2015-0233 389-admin: multiple /tmp/ file vulnerabilities
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-0233
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150116,reported=2...
Keywords: Security
Depends On: 1183152 1183153 1183154
Blocks: 1014780
TreeView+ depends on / blocked
 
Reported: 2015-01-16 20:23 UTC by Kurt Seifried
Modified: 2019-06-08 20:22 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-24 05:02:13 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2015-01-16 20:23:47 UTC
Kurt Seifried of Red Hat Product Security reports:

There are several temporary file creation vulnerabilities:

In the file 

./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in

my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;

and in the file:

./389-admin-1.1.36/lib/libadmin/httpcon.c

char *dbd = "/tmp/http_trace.%d";

The perl code should use mkstemp() and the C code should use mkstemp().

These issues are only locally exploitable and require administrative action in order to exploit.

Comment 1 Kurt Seifried 2015-01-16 20:25:24 UTC
Statement:

This issue affects the versions of 389-admin as shipped with Red Hat Directory Server 9.1. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 3 Kurt Seifried 2015-01-16 20:26:33 UTC
Created 389-admin tracking bugs for this issue:

Affects: fedora-all [bug 1183153]
Affects: epel-all [bug 1183154]

Comment 4 Kurt Seifried 2015-01-16 20:53:04 UTC
Acknowledgement:

This issue was discovered by Kurt Seifried of Red Hat Product Security.

Comment 5 Noriko Hosoi 2015-01-19 22:53:02 UTC
Hi Kurt,

I took a look at the 2 cases you pointed out.

1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in
    my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;

Luckily, the code was introduced by this bug for RHDS10.0 which is not released at all including fedora and epel.
https://bugzilla.redhat.com/show_bug.cgi?id=1173252
Thus, we could just reopen this bug (and the corresponding ticket to take care of the /tmp issue.

2) ./389-admin-1.1.36/lib/libadmin/httpcon.c

And this is a pure debug code which does not get built with DEBUG_TRACE enabled.  Probably, we could comment out "/tmp/http_trace.%d" part.  But I don't think it is a target of CVE.
/* #define DEBUG_TRACE 1 */
#undef DEBUG_TRACE

#ifdef DEBUG_TRACE
FILE *dbf = NULL;
int numconns = 0;
char *dbd = "/tmp/http_trace.%d";
char dbp[256];
#endif

That's being said, could it be possible to close this CVE bug and let us work on the 2 issues as a normal issue for DS10?  Thanks!!

Comment 6 Kurt Seifried 2015-08-24 05:02:13 UTC
(In reply to Noriko Hosoi from comment #5)
> Hi Kurt,
> 
> I took a look at the 2 cases you pointed out.
> 
> 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in
>     my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;
> 
> Luckily, the code was introduced by this bug for RHDS10.0 which is not
> released at all including fedora and epel.
> https://bugzilla.redhat.com/show_bug.cgi?id=1173252
> Thus, we could just reopen this bug (and the corresponding ticket to take
> care of the /tmp issue.
> 
> 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c
> 
> And this is a pure debug code which does not get built with DEBUG_TRACE
> enabled.  Probably, we could comment out "/tmp/http_trace.%d" part.  But I
> don't think it is a target of CVE.
> /* #define DEBUG_TRACE 1 */
> #undef DEBUG_TRACE
> 
> #ifdef DEBUG_TRACE
> FILE *dbf = NULL;
> int numconns = 0;
> char *dbd = "/tmp/http_trace.%d";
> char dbp[256];
> #endif
> 
> That's being said, could it be possible to close this CVE bug and let us
> work on the 2 issues as a normal issue for DS10?  Thanks!!

Apologies, this was not marked NEEDINFO so I didn't see it in my BZ spam. 

It appears this was fixed, so closing CURRENTRELEASE.


Note You need to log in before you can comment on or make changes to this bug.