It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.
The vulnerable code in util.py:
266 def get_rpm_nvr_by_file_path_temporary(name):
267 if name is None or not os.path.exists(name):
268 return None
270 nvr = None
272 import commands
273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name)
274 if rc == 0:
275 nvr = output
277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name)
278 return nvr
Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.
Created attachment 1003803 [details]
don't use unsecure commands.getstatusoutput in for getting rpm nvr
subprocess module methods doesn't use shell by default.
(In reply to Huzaifa S. Sidhpurwala from comment #10)
> This looks insufficient. What if a filename is e.g. "-a"?
> BTW, at least my copy of RPM doesn't appear to support "--" to stop
> sub-option parsing.
> In general, this design feels very fragile. I'd disable the feature.
Thinking more about this I'd use the proposed patch:
- You should not be able to run arbitrary code using only an argument of rpm command.
- When you have "-a" file, rpm command will get "/tmp/-a" as an argument, not "-a" directly
Created attachment 1004551 [details]
fix get_rpm_nvr_*_temporary functions
- use subprocess.check_output() instead of commands.getstatusoutput()
- use os.path.abspath() to get a normalized absolutized version of the name.
Created setroubleshoot tracking bugs for this issue:
Affects: fedora-all [bug 1206050]
Write-up and public exploit from the reporter:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 5
Via RHSA-2015:0729 https://rhn.redhat.com/errata/RHSA-2015-0729.html
setroubleshoot-3.2.22-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
setroubleshoot-3.2.17-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
setroubleshoot-3.2.22-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.