Bug 1233520 – CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1233520 - (CVE-2015-3248) CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory

Summary:	CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory

Status:	CLOSED ERRATA

Aliases:	CVE-2015-3248

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20140210,reported=2...
Keywords:	Security

Duplicates:	1297458 (view as bug list)
Depends On:	1063367 1233521 1258729
Blocks:	1210268 1233522 1297459
	Show dependency tree / graph

Reported:	2015-06-19 01:40 EDT by Kurt Seifried
Modified:	2016-11-08 11:29 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that the "/var/lib/openhpi" directory provided by OpenHPI used world-writeable and world-readable permissions. A local user could use this flaw to view, modify, and delete OpenHPI-related data, or even fill up the storage device hosting the /var/lib directory.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-20 00:03:57 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2369	normal	SHIPPED_LIVE	Low: openhpi security, bug fix, and enhancement update	2015-11-19 05:41:44 EST

Groups: None (edit)

Description Kurt Seifried 2015-06-19 01:40:20 EDT

openhpi ships with the /var/lib/openhpi/ directory set world readable and 
writeable. If this directory is used for storing the OPENHPI_UID_MAP or other
openhpi data for example an attacker would be able to view, modify and delete 
it. Even without such usage an attacker could use it to fill up the storage
hosting the /var/lib/ directory if quotas are not properly set.

Comment 1 Kurt Seifried 2015-06-19 01:41:43 EDT

Created openhpi tracking bugs for this issue:

Affects: fedora-all [bug 1233521]

Comment 3 Kurt Seifried 2015-11-17 12:37:44 EST

Acknowledgement:

This issue was discovered by Marko Myllynen of Red Hat.

Comment 4 errata-xmlrpc 2015-11-19 07:09:56 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2369 https://rhn.redhat.com/errata/RHSA-2015-2369.html

Comment 5 Huzaifa S. Sidhpurwala 2015-11-20 00:03:57 EST

Statement:

This issue affects the version of openhpi as shipped with Red Hat Enterprise Linux 5 and 6. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5 and 6.

Comment 6 Huzaifa S. Sidhpurwala 2016-03-14 04:55:01 EDT

*** Bug 1297458 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.