Bug 1194651 - (CVE-2015-0278) CVE-2015-0278 libuv: incorrect revocation order while relinquishing privileges
CVE-2015-0278 libuv: incorrect revocation order while relinquishing privileges
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140210,repor...
: Security
Depends On: 1194653 1194654 1194655 1194656
Blocks: 1194650
  Show dependency treegraph
 
Reported: 2015-02-20 08:04 EST by Vasyl Kaigorodov
Modified: 2016-11-03 17:14 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-28 08:49:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vasyl Kaigorodov 2015-02-20 08:04:57 EST
It was found [1] that libuv does not call setgroups before calling setuid/setgid.
This may potentially allow an attacker to gain elevated privileges.
Upstream fix for 0.10: https://github.com/libuv/libuv/pull/215

[1]: https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c
Comment 2 Vasyl Kaigorodov 2015-02-20 08:06:38 EST
Created libuv tracking bugs for this issue:

Affects: fedora-all [bug 1194653]
Affects: epel-all [bug 1194654]
Comment 3 T.C. Hollingsworth 2015-02-24 18:35:24 EST
Upstream announcement:
https://groups.google.com/d/msg/libuv/0JZxwLMtsMI/jraczskYWWQJ

Red Hat assigned CVE-2015-0278 to this issue.
Comment 4 Fedora Update System 2015-02-28 05:22:02 EST
v8-3.14.5.10-17.fc21, nodejs-0.10.36-3.fc21, libuv-0.10.34-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-03-13 12:56:10 EDT
v8-3.14.5.10-17.fc20, nodejs-0.10.36-3.fc20, libuv-0.10.34-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-03-13 13:03:31 EDT
compat-libuv010-0.10.34-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Siddharth Sharma 2015-03-17 03:45:16 EDT
Analysis
========

In code of nodejs010-libuv in function static void uv__process_child_init() in the following code it call setgid() and setuid()

...
 if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) {
    uv__write_int(error_fd, errno);
    perror("setgid()");
    _exit(127);
  }

  if ((options.flags & UV_PROCESS_SETUID) && setuid(options.uid)) {
    uv__write_int(error_fd, errno);
    perror("setuid()");
    _exit(127);
  }
...

before calling setgid() and setuid() It does not call setgroups() while dropping privileges. There are ancillary groups associated with process which are inherited from the parent process which can only be altered by superuser.  If some process runs with root or equivalent privileges it should call setgroups() before dropping root privileges.
Comment 9 Siddharth Sharma 2015-03-26 00:34:49 EDT
On further analyzing about this flaw present in libuv as shipped with the nodejs10-libuv package present in Red Hat Software Collections, it seems impact of this flaw is low, as it depends on whether nodejs application is running under root privileges or not, so looking at the use cases of libuv with nodejs, nodejs applications would be running with privileges as they are expected to be running and not dropping them later on. As for the other applications using libuv running under superuser/root privileges impact of this flaw would be moderate.
Comment 10 Fedora Update System 2015-04-30 13:12:43 EDT
v8-3.14.5.10-17.el6, nodejs-0.10.36-3.el6, libuv-0.10.34-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-04-30 13:13:24 EDT
v8-3.14.5.10-17.el7, nodejs-0.10.36-3.el7, libuv-0.10.34-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Siddharth Sharma 2015-05-11 00:17:15 EDT
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.