Bug 1212861 (CVE-2015-1869) - CVE-2015-1869 abrt: default event scripts follow symbolic links
Summary: CVE-2015-1869 abrt: default event scripts follow symbolic links
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-1869
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1211966 1211967 1212863 1212864 1212865
Blocks: 1211224 1214172
TreeView+ depends on / blocked
 
Reported: 2015-04-17 14:34 UTC by Florian Weimer
Modified: 2019-09-29 13:31 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the default event handling scripts installed by ABRT did not handle symbolic links correctly. A local attacker with write access to an ABRT problem directory could use this flaw to escalate their privileges.
Clone Of:
Environment:
Last Closed: 2015-07-09 05:34:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1083 normal SHIPPED_LIVE Important: abrt security update 2015-06-09 23:48:24 UTC
Red Hat Product Errata RHSA-2015:1210 normal SHIPPED_LIVE Moderate: abrt security update 2015-07-07 12:39:40 UTC

Description Florian Weimer 2015-04-17 14:34:10 UTC
It was discovered that the default event handling scripts installed by
abrt follow symbolic links, allowing local attackers with write access
to an abrt problem directory to escalate their privileges, as
demonstrated by a var_log_messages file which is a symbolic link to file
in /etc/cron.hourly.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 3 Florian Weimer 2015-04-17 14:39:24 UTC
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1212865]

Comment 5 Jakub Filak 2015-05-05 11:18:35 UTC
The commits are listed in bug #1212868 comment #4.

Comment 6 Jakub Filak 2015-05-06 12:48:02 UTC
I am going to make to the code a bit more robust by preventing non-root users from triggering the default event scripts run by abrtd under root user.

Comment 7 Jakub Filak 2015-05-22 04:57:03 UTC
These commits stop non-root users from triggering the default EVENT scripts:
daemon: allow only root user to trigger the post-create 
https://github.com/abrt/abrt/commit/3287aa12eb205cff95cdd00d6d6c5c9a4f8f0eca

daemon, dbus: allow only root to create CCpp, Koops, vmcore and xorg 
https://github.com/abrt/abrt/commit/7417505e1d93cc95ec648b74e3c801bc67aacb9f

Comment 11 errata-xmlrpc 2015-06-09 19:48:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html

Comment 13 errata-xmlrpc 2015-07-07 08:40:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html


Note You need to log in before you can comment on or make changes to this bug.