1212861 – (CVE-2015-1869) CVE-2015-1869 abrt: default event scripts follow symbolic links

Bug 1212861 (CVE-2015-1869) - CVE-2015-1869 abrt: default event scripts follow symbolic links

Summary: CVE-2015-1869 abrt: default event scripts follow symbolic links

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-1869
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1211966 1211967 1212863 1212864 1212865
Blocks:	1211224 1214172
TreeView+	depends on / blocked

Reported:	2015-04-17 14:34 UTC by Florian Weimer
Modified:	2023-05-12 08:52 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was discovered that the default event handling scripts installed by ABRT did not handle symbolic links correctly. A local attacker with write access to an ABRT problem directory could use this flaw to escalate their privileges.
Clone Of:
Environment:
Last Closed:	2015-07-09 05:34:12 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1083	0	normal	SHIPPED_LIVE	Important: abrt security update	2015-06-09 23:48:24 UTC
Red Hat Product Errata	RHSA-2015:1210	0	normal	SHIPPED_LIVE	Moderate: abrt security update	2015-07-07 12:39:40 UTC

Description Florian Weimer 2015-04-17 14:34:10 UTC

It was discovered that the default event handling scripts installed by
abrt follow symbolic links, allowing local attackers with write access
to an abrt problem directory to escalate their privileges, as
demonstrated by a var_log_messages file which is a symbolic link to file
in /etc/cron.hourly.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 3 Florian Weimer 2015-04-17 14:39:24 UTC

Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1212865]

Comment 5 Jakub Filak 2015-05-05 11:18:35 UTC

The commits are listed in bug #1212868 comment #4.

Comment 6 Jakub Filak 2015-05-06 12:48:02 UTC

I am going to make to the code a bit more robust by preventing non-root users from triggering the default event scripts run by abrtd under root user.

Comment 7 Jakub Filak 2015-05-22 04:57:03 UTC

These commits stop non-root users from triggering the default EVENT scripts:
daemon: allow only root user to trigger the post-create 
https://github.com/abrt/abrt/commit/3287aa12eb205cff95cdd00d6d6c5c9a4f8f0eca

daemon, dbus: allow only root to create CCpp, Koops, vmcore and xorg 
https://github.com/abrt/abrt/commit/7417505e1d93cc95ec648b74e3c801bc67aacb9f

Comment 11 errata-xmlrpc 2015-06-09 19:48:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html

Comment 13 errata-xmlrpc 2015-07-07 08:40:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html

Note You need to log in before you can comment on or make changes to this bug.