Bug 1200927 (CVE-2015-1795) - CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue
Summary: CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-1795
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150316,repor...
Depends On: 1362044
Blocks: 1200929
TreeView+ depends on / blocked
 
Reported: 2015-03-11 16:37 UTC by Martin Prpič
Modified: 2019-06-08 20:28 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that glusterfs-server RPM package would write file with predictable name into world readable /tmp directory. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs-server package.
Clone Of:
Environment:
Last Closed: 2017-03-23 07:37:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0484 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:06:37 UTC
Red Hat Product Errata RHSA-2017:0486 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update 2017-03-23 09:18:45 UTC

Description Martin Prpič 2015-03-11 16:37:19 UTC
It was discovered that the glusterfs.spec file writes a shell script under a predictable temporary name. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs packages.

The vulnerable code is:

-- rpm in RHEL5 does not have os.tmpname()
-- io.tmpfile() can not be resolved to a filename to pass to bash :-/
tmpname = "/tmp/glusterfs_pretrans_" .. os.date("%s")
tmpfile = io.open(tmpname, "w")
tmpfile:write(script)
tmpfile:close()
ok, how, val = os.execute("/bin/bash " .. tmpname)

Comment 1 Martin Prpič 2015-03-11 16:40:05 UTC
Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 2 Kurt Seifried 2015-03-16 19:37:22 UTC
We can easily avoid this in RHEL 6/7 by using something like:

if (SomeFunc ~= nil) then
  SomeFunc(Args)
end

and then for RHEL 5 we can use a made up /tmp thing that is a bit safer like maybe math.random or read from /dev/random and create a string from that.

Comment 3 Kurt Seifried 2015-03-17 17:07:32 UTC
This only affects Gluster packages built with the -server sub package.

Comment 4 Siddharth Sharma 2015-07-27 15:24:52 UTC
Analysis
--------

Spec file of the glusterfs writes a file with a predictable name in /tmp as /tmp/glusterfs_pretrans_ as this is executed during installation or when updating the glusterfs package. An attacker can execute a targeted attack by replacing contents of glusterfs_pretrans_ file by malicious code to escalate privileges on the system.

Comment 7 Milind Changire 2016-09-22 11:09:47 UTC
(In reply to Kurt Seifried from comment #3)
> This only affects Gluster packages built with the -server sub package.

All %pretrans scripts, which are only available while doing a server-side RPM build, use this mechanism of writing a shell script to a temporary file and then execute it.

Would it be safe to assume that fixing all such %pretrans scripts for all glusterfs sub packages would be a sensible thing to do?

Also, the glusterfs build on rhel 5 is a client only build and the %pretrans scripts with this security issue are available only for server-side RPM builds on rhel 6 and rhel 7. Since os.tmpname() is available on rhel 6 and rhel 7, would using the file name returned by os.tmpname() fix the security issue?

Comment 11 errata-xmlrpc 2017-03-23 05:09:58 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2017:0484 https://rhn.redhat.com/errata/RHSA-2017-0484.html

Comment 12 errata-xmlrpc 2017-03-23 05:21:22 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2017:0486 https://rhn.redhat.com/errata/RHSA-2017-0486.html

Comment 15 Siddharth Sharma 2017-12-26 14:35:02 UTC
Statement:

This issue did not affect the versions of glusterfs as shipped
with Red Hat Enterprise Linux 6, and 7.


Note You need to log in before you can comment on or make changes to this bug.