Bug 1218658 (CVE-2015-3171) - CVE-2015-3171 sosreport: temporary file created with world-readable permissions
Summary: CVE-2015-3171 sosreport: temporary file created with world-readable permissions
Status: CLOSED NOTABUG
Alias: CVE-2015-3171
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150505,reported=2...
Keywords: Security
Depends On: 1218659
Blocks: 1225825
TreeView+ depends on / blocked
 
Reported: 2015-05-05 13:44 UTC by Martin Prpič
Modified: 2019-06-08 20:34 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-06-01 09:25:20 UTC


Attachments (Terms of Use)

Description Martin Prpič 2015-05-05 13:44:09 UTC
It was reported that sosreport creates output files with world-readable permissions:

-rw-r--r--. 1 root root 7331624 May 4 08:55
sosreport-localhost.localdomain-20150504084328.tar.xz
-rw-r--r--. 1 root root 33 May 4 08:55
sosreport-localhost.localdomain-20150504084328.tar.xz.md5

The archive may consists of files originally only accessible by the root user. However, after extracting the archive, all of the files are readable by regular users with access to /var/tmp/.

Acknowledgements:

Red Hat would like to thank Grant Murphy for reporting this issue.

Comment 1 Martin Prpič 2015-05-05 13:45:04 UTC
Created sos tracking bugs for this issue:

Affects: fedora-all [bug 1218659]

Comment 2 Bryn M. Reeves 2015-05-05 15:13:30 UTC
Version & release numbers?

Comment 3 Bryn M. Reeves 2015-05-05 15:25:18 UTC
Does not affect F20 or earlier:

# sosreport -v --batch -o general

sosreport (version 3.1)

This command will collect system configuration and diagnostic
information from this Fedora system. An archive containing the collected
information will be generated in /var/tmp.

For more information on the Fedora Project visit:

  https://fedoraproject.org/

The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party.

No changes will be made to system configuration.


 Running plugins. Please wait ...

  Running 1/1: general...        
Creating compressed archive...

Your sosreport has been generated and saved in:
  /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz

The checksum is: 640904285a51114c0b03f142e533af4c

Please send this file to your support representative.

[root@localhost ~]# ll /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz
-rw-------. 1 root root 584392 May  5 16:21 /var/tmp/sosreport-localhost.localdomain-20150505162121.tar.xz

Unfortunately F21 is still using an early build of 3.2 that has a bug in the umask handling for the tar archive:

commit d7759d3ddae5fe99a340c88a1d370d65cfa73fd6
Author: Bryn M. Reeves <bmr@redhat.com>
Date:   Thu Oct 30 16:46:01 2014 +0000

    [sosreport] fix archive permissions regression
    
    Restore the umask save/restore around archive creation and ensure
    the effective umask is 077 at the time of archive creation.
    
    Fixes #425.
    
    Signed-off-by: Bryn M. Reeves <bmr@redhat.com>

I'll update this in F21, 22 and rawhide to a version that includes the above commit.

Comment 4 Huzaifa S. Sidhpurwala 2015-06-01 09:21:39 UTC
This flaw is a regression in the default behaviour of sosreport, which was introduced by the following commit:

https://github.com/sosreport/sos/commit/8d2577786cce6fcc915836108e405dbf5025dec8

and was fixed via the following commit:

https://github.com/sosreport/sos/commit/d7759d3ddae5fe99a340c88a1d370d65cfa73fd6

Comment 5 Huzaifa S. Sidhpurwala 2015-06-01 09:24:59 UTC
Statement:

Not vulnerable. This issue does not affect the version of sos package as shipped with Red Hat Enterprise Linux 5, 6 and 7.


Note You need to log in before you can comment on or make changes to this bug.