Bug 1216962 (CVE-2015-3159) - CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache
Summary: CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3159
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1211966 1211967 1216973 1216974 1216975
Blocks: 1211224 1214172
TreeView+ depends on / blocked
 
Reported: 2015-04-29 10:11 UTC by Florian Weimer
Modified: 2019-09-29 13:31 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the abrt-action-install-debuginfo-to-abrt-cache helper program did not properly filter the process environment before invoking abrt-action-install-debuginfo. A local attacker could use this flaw to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2015-07-09 05:35:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1083 normal SHIPPED_LIVE Important: abrt security update 2015-06-09 23:48:24 UTC
Red Hat Product Errata RHSA-2015:1210 normal SHIPPED_LIVE Moderate: abrt security update 2015-07-07 12:39:40 UTC

Description Florian Weimer 2015-04-29 10:11:49 UTC
It was discovered that the helper program,
abrt-action-install-debuginfo-to-abrt-cache, does not properly filter
the process environment (umask and truncated command line options)
before invoking abrt-action-install-debuginfo.  A local user could
exploit this vulnerability to obtain root privileges.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 2 Florian Weimer 2015-04-29 10:38:09 UTC
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1216975]

Comment 4 Florian Weimer 2015-04-29 10:50:30 UTC
The fix should set the umask to 022 and apply a whitelist to the command line options.

Changing the current directory to /var/spool/abrt would be preferable as well, but this is difficult because some ways of running abrt-action-install-debuginfo open a file build_ids in the current directory (which could result in an abrt -> local user information disclosure).  Perhaps the wrapper can open the file, using the calling user's UID/GID, and pass it on standard input.

I also looked at the way in which yum creates the /var/tmp/yum-abrt-* directory, and it appears to be okay.

Comment 6 Florian Weimer 2015-05-06 07:50:54 UTC
Starting with Red Hat Enterprise Linux 6.5, due to a regression introduced by the fix for bug 759443 (“ABRT won't install debuginfos from rhn repository”), abrt-action-install-debuginfo does not seem to do much when abrt-action-install-debuginfo-to-abrt-cache is invoked by a non-root user, so the issue is mitigated in later versions of Red Hat Enterprise Linux 6.

Comment 7 Jakub Filak 2015-05-06 10:44:51 UTC
I would like to fix abrt-action-install-debuginfo in RHEL-6 to make it working for non-root users too again (bug #1216962). Only the users who use only rhn repositories suffers from bug #756443 (“ABRT won't install debuginfos from rhn repository”), but other users who might have configured custom repositories (or CentOS users) should be able to use ABRT to download debug info packages.

Comment 10 errata-xmlrpc 2015-06-09 19:49:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html

Comment 11 errata-xmlrpc 2015-07-07 08:40:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html


Note You need to log in before you can comment on or make changes to this bug.