Bug 1183151 - (CVE-2015-0233) CVE-2015-0233 389-admin: multiple /tmp/ file vulnerabilities
CVE-2015-0233 389-admin: multiple /tmp/ file vulnerabilities
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150116,reported=2...
: Security
Depends On: 1183152 1183153 1183154
Blocks: 1014780
  Show dependency treegraph
 
Reported: 2015-01-16 15:23 EST by Kurt Seifried
Modified: 2015-08-24 01:02 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-24 01:02:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-01-16 15:23:47 EST
Kurt Seifried of Red Hat Product Security reports:

There are several temporary file creation vulnerabilities:

In the file 

./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in

my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;

and in the file:

./389-admin-1.1.36/lib/libadmin/httpcon.c

char *dbd = "/tmp/http_trace.%d";

The perl code should use mkstemp() and the C code should use mkstemp().

These issues are only locally exploitable and require administrative action in order to exploit.
Comment 1 Kurt Seifried 2015-01-16 15:25:24 EST
Statement:

This issue affects the versions of 389-admin as shipped with Red Hat Directory Server 9.1. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 3 Kurt Seifried 2015-01-16 15:26:33 EST
Created 389-admin tracking bugs for this issue:

Affects: fedora-all [bug 1183153]
Affects: epel-all [bug 1183154]
Comment 4 Kurt Seifried 2015-01-16 15:53:04 EST
Acknowledgement:

This issue was discovered by Kurt Seifried of Red Hat Product Security.
Comment 5 Noriko Hosoi 2015-01-19 17:53:02 EST
Hi Kurt,

I took a look at the 2 cases you pointed out.

1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in
    my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;

Luckily, the code was introduced by this bug for RHDS10.0 which is not released at all including fedora and epel.
https://bugzilla.redhat.com/show_bug.cgi?id=1173252
Thus, we could just reopen this bug (and the corresponding ticket to take care of the /tmp issue.

2) ./389-admin-1.1.36/lib/libadmin/httpcon.c

And this is a pure debug code which does not get built with DEBUG_TRACE enabled.  Probably, we could comment out "/tmp/http_trace.%d" part.  But I don't think it is a target of CVE.
/* #define DEBUG_TRACE 1 */
#undef DEBUG_TRACE

#ifdef DEBUG_TRACE
FILE *dbf = NULL;
int numconns = 0;
char *dbd = "/tmp/http_trace.%d";
char dbp[256];
#endif

That's being said, could it be possible to close this CVE bug and let us work on the 2 issues as a normal issue for DS10?  Thanks!!
Comment 6 Kurt Seifried 2015-08-24 01:02:13 EDT
(In reply to Noriko Hosoi from comment #5)
> Hi Kurt,
> 
> I took a look at the 2 cases you pointed out.
> 
> 1) ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in
>     my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;
> 
> Luckily, the code was introduced by this bug for RHDS10.0 which is not
> released at all including fedora and epel.
> https://bugzilla.redhat.com/show_bug.cgi?id=1173252
> Thus, we could just reopen this bug (and the corresponding ticket to take
> care of the /tmp issue.
> 
> 2) ./389-admin-1.1.36/lib/libadmin/httpcon.c
> 
> And this is a pure debug code which does not get built with DEBUG_TRACE
> enabled.  Probably, we could comment out "/tmp/http_trace.%d" part.  But I
> don't think it is a target of CVE.
> /* #define DEBUG_TRACE 1 */
> #undef DEBUG_TRACE
> 
> #ifdef DEBUG_TRACE
> FILE *dbf = NULL;
> int numconns = 0;
> char *dbd = "/tmp/http_trace.%d";
> char dbp[256];
> #endif
> 
> That's being said, could it be possible to close this CVE bug and let us
> work on the 2 issues as a normal issue for DS10?  Thanks!!

Apologies, this was not marked NEEDINFO so I didn't see it in my BZ spam. 

It appears this was fixed, so closing CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.