1212868 – (CVE-2015-1870) CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure

Bug 1212868 (CVE-2015-1870) - CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure

Summary: CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-1870
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering1211966 Engineering1211967 Engineering1212869 Engineering1212870 1212871
Blocks:	Embargoed1211224 Red Hat1214172
TreeView+	depends on / blocked

Reported:	2015-04-17 14:45 UTC by Florian Weimer
Modified:	2023-05-12 08:54 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that the ABRT event scripts created a user-readable copy of an sosreport file in ABRT problem directories, and included excerpts of /var/log/messages selected by the user-controlled process name, leading to an information disclosure. The fix for this issue prevents non-privileged users from accessing any crash reports, even reports of crashes of processes owned by those users. Only administrators (the wheel group members) are allowed to access crash reports via the "System" tab in the ABRT GUI, or by running abrt-cli as root (that is, via "sudo abrt-cli" or "su -c abrt-cli").
Clone Of:
Environment:
Last Closed:	2015-07-09 05:34:39 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1083	0	normal	SHIPPED_LIVE	Important: abrt security update	2015-06-09 23:48:24 UTC
Red Hat Product Errata	RHSA-2015:1210	0	normal	SHIPPED_LIVE	Moderate: abrt security update	2015-07-07 12:39:40 UTC

Description Florian Weimer 2015-04-17 14:45:25 UTC

It was discovered that the abrt event scripts create a user-readable
copy of a sosreport file in abrt problem directories, and include
excerpts of /var/log/messages selected by the user-controlled process
name, leading to an information disclosure.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 2 Florian Weimer 2015-04-17 14:46:20 UTC

Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1212871]

Comment 4 Jakub Filak 2015-05-05 11:17:15 UTC

This upstream commit https://github.com/abrt/abrt/commit/8939398b82006ba1fec4ed491339fc075f43fc7c changes the owner to root.

This upstream commit https://github.com/abrt/abrt/commit/7d023c32a565e83306cddf34c894477b7aaf33d1 moves /var/tmp/abrt to /var/spool/abrt.

This upstream commit https://github.com/abrt/libreport/commit/c962918bc70a61a8cc647898ee8b1ff1c14a87c5 sets the mode of dump directories to 750.

Comment 7 Marek Bryša 2015-05-26 10:26:28 UTC

I believe there is one tiny mistake in the Doc Text:
"The fix for this issue prevents non-privileged users FROM access TO any crash reports, ..."

Comment 8 errata-xmlrpc 2015-06-09 19:49:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html

Comment 9 errata-xmlrpc 2015-07-07 08:40:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html

Note You need to log in before you can comment on or make changes to this bug.