Bug 1194651 (CVE-2015-0278) - CVE-2015-0278 libuv: incorrect revocation order while relinquishing privileges
Summary: CVE-2015-0278 libuv: incorrect revocation order while relinquishing privileges
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-0278
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1194653 1194654 1194655 1194656
Blocks: 1194650
TreeView+ depends on / blocked
 
Reported: 2015-02-20 13:04 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:28 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-28 12:49:20 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-02-20 13:04:57 UTC
It was found [1] that libuv does not call setgroups before calling setuid/setgid.
This may potentially allow an attacker to gain elevated privileges.
Upstream fix for 0.10: https://github.com/libuv/libuv/pull/215

[1]: https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c

Comment 2 Vasyl Kaigorodov 2015-02-20 13:06:38 UTC
Created libuv tracking bugs for this issue:

Affects: fedora-all [bug 1194653]
Affects: epel-all [bug 1194654]

Comment 3 T.C. Hollingsworth 2015-02-24 23:35:24 UTC
Upstream announcement:
https://groups.google.com/d/msg/libuv/0JZxwLMtsMI/jraczskYWWQJ

Red Hat assigned CVE-2015-0278 to this issue.

Comment 4 Fedora Update System 2015-02-28 10:22:02 UTC
v8-3.14.5.10-17.fc21, nodejs-0.10.36-3.fc21, libuv-0.10.34-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-03-13 16:56:10 UTC
v8-3.14.5.10-17.fc20, nodejs-0.10.36-3.fc20, libuv-0.10.34-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-03-13 17:03:31 UTC
compat-libuv010-0.10.34-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Siddharth Sharma 2015-03-17 07:45:16 UTC
Analysis
========

In code of nodejs010-libuv in function static void uv__process_child_init() in the following code it call setgid() and setuid()

...
 if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) {
    uv__write_int(error_fd, errno);
    perror("setgid()");
    _exit(127);
  }

  if ((options.flags & UV_PROCESS_SETUID) && setuid(options.uid)) {
    uv__write_int(error_fd, errno);
    perror("setuid()");
    _exit(127);
  }
...

before calling setgid() and setuid() It does not call setgroups() while dropping privileges. There are ancillary groups associated with process which are inherited from the parent process which can only be altered by superuser.  If some process runs with root or equivalent privileges it should call setgroups() before dropping root privileges.

Comment 9 Siddharth Sharma 2015-03-26 04:34:49 UTC
On further analyzing about this flaw present in libuv as shipped with the nodejs10-libuv package present in Red Hat Software Collections, it seems impact of this flaw is low, as it depends on whether nodejs application is running under root privileges or not, so looking at the use cases of libuv with nodejs, nodejs applications would be running with privileges as they are expected to be running and not dropping them later on. As for the other applications using libuv running under superuser/root privileges impact of this flaw would be moderate.

Comment 10 Fedora Update System 2015-04-30 17:12:43 UTC
v8-3.14.5.10-17.el6, nodejs-0.10.36-3.el6, libuv-0.10.34-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-04-30 17:13:24 UTC
v8-3.14.5.10-17.el7, nodejs-0.10.36-3.el7, libuv-0.10.34-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Siddharth Sharma 2015-05-11 04:17:15 UTC
Statement:

(none)


Note You need to log in before you can comment on or make changes to this bug.