Bug 1212868 (CVE-2015-1870) - CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure
Summary: CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure
Status: CLOSED ERRATA
Alias: CVE-2015-1870
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150417,reported=2...
Keywords: Security
Depends On: 1211966 1211967 1212869 1212870 1212871
Blocks: 1211224 1214172
TreeView+ depends on / blocked
 
Reported: 2015-04-17 14:45 UTC by Florian Weimer
Modified: 2019-06-08 20:33 UTC (History)
10 users (show)

(edit)
It was found that the ABRT event scripts created a user-readable copy of an sosreport file in ABRT problem directories, and included excerpts of /var/log/messages selected by the user-controlled process name, leading to an information disclosure. The fix for this issue prevents non-privileged users from accessing any crash reports, even reports of crashes of processes owned by those users. Only administrators (the wheel group members) are allowed to access crash reports via the "System" tab in the ABRT GUI, or by running abrt-cli as root (that is, via "sudo abrt-cli" or "su -c abrt-cli").
Clone Of:
(edit)
Last Closed: 2015-07-09 05:34:39 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1083 normal SHIPPED_LIVE Important: abrt security update 2015-06-09 23:48:24 UTC
Red Hat Product Errata RHSA-2015:1210 normal SHIPPED_LIVE Moderate: abrt security update 2015-07-07 12:39:40 UTC

Description Florian Weimer 2015-04-17 14:45:25 UTC
It was discovered that the abrt event scripts create a user-readable
copy of a sosreport file in abrt problem directories, and include
excerpts of /var/log/messages selected by the user-controlled process
name, leading to an information disclosure.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 2 Florian Weimer 2015-04-17 14:46:20 UTC
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1212871]

Comment 4 Jakub Filak 2015-05-05 11:17:15 UTC
This upstream commit https://github.com/abrt/abrt/commit/8939398b82006ba1fec4ed491339fc075f43fc7c changes the owner to root.

This upstream commit https://github.com/abrt/abrt/commit/7d023c32a565e83306cddf34c894477b7aaf33d1 moves /var/tmp/abrt to /var/spool/abrt.

This upstream commit https://github.com/abrt/libreport/commit/c962918bc70a61a8cc647898ee8b1ff1c14a87c5 sets the mode of dump directories to 750.

Comment 7 Marek Bryša 2015-05-26 10:26:28 UTC
I believe there is one tiny mistake in the Doc Text:
"The fix for this issue prevents non-privileged users FROM access TO any crash reports, ..."

Comment 8 errata-xmlrpc 2015-06-09 19:49:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html

Comment 9 errata-xmlrpc 2015-07-07 08:40:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html


Note You need to log in before you can comment on or make changes to this bug.