Bug 1280543 - (CVE-2015-7543) CVE-2015-7543 arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
CVE-2015-7543 arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151207,repor...
: Security
Depends On: 1289236 1289238 1289235 1289237
Blocks: 1281443
  Show dependency treegraph
 
Reported: 2015-11-11 22:06 EST by Yaakov Selkowitz
Modified: 2016-11-08 10:54 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-08 00:44:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yaakov Selkowitz 2015-11-11 22:06:51 EST
Description of problem:
aRts and kdelibs3 each use their own copy of the same "lnusertemp" code to create a user-specific socket directory for IPC.  If the usual location, which is well-known, is unavailable, a random directory name is created with mktemp(3).  A malicious process could therefore create the well-known location to force the race condition inherit in mktemp(3), and then potentially beat it in order to hijack the IPC of aRts and/or KDE.

Version-Release number of selected component (if applicable):
arts-1.5.10-26.fc22.x86_64
kdelibs3-3.5.10-68.fc22.x86_64
(I believe all versions of Fedora are affected, as well as RHEL 5 and 6)

Steps to Reproduce:
(Warning: Do NOT try this during a KDE session!)
0. KSOCKETDIR=/tmp/ksocket-`id -un`
1. rm -f ~/.kde/socket-$HOSTNAME # (not strictly necessary but does cause this to be logged with 'artsd -l 0')
2. rm -fr $KSOCKETDIR && touch $KSOCKETDIR
OR: su -c "mkdir -m 0700 $KSOCKETDIR" [OTHER_USER]
3. artsd -l 0 -a alsa
OR: kdeinit
OR: lnusertemp socket

Actual results:
A ${KSOCKETDIR}XXXXXX directory is created by mktemp(3), with all the usual implications, then symlinked to ~/.kde/socket-$HOSTNAME.

Expected results:
mkdtemp(3) should be used to create the fallback socket directory instead of mktemp(3).

Additional info:
This was fixed upstream in commit cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 (together with a bunch of unrelated changes) during the Qt3->4 porting phase, so kdelibs-4.x should never have been affected by itself.  However, if the socket directory is created first by aRts or KDE3, as long as it exists it would also be used by KDE4 processes.

The relevant part of said commit should backport easily to both arts (mcop/mcoputils.cc) and kdelibs3 (kinit/lnusertemp.c):

https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c
Comment 1 Kurt Seifried 2015-12-07 12:37:15 EST
Created kdelibs3 tracking bugs for this issue:

Affects: fedora-all [bug 1289235]
Affects: epel-7 [bug 1289236]
Comment 2 Kurt Seifried 2015-12-07 12:37:20 EST
Created arts tracking bugs for this issue:

Affects: fedora-all [bug 1289237]
Affects: epel-7 [bug 1289238]
Comment 3 Kevin Kofler 2015-12-07 13:40:59 EST
Yes, that patch (fairly trivial at that) should fix it, let's apply it ASAP.
Comment 4 Yaakov Selkowitz 2015-12-08 00:11:36 EST
For the sake of public disclosure, TDE arts and tdelibs, being forks of the above (and unchanged wrt this particular code), are similarly affected.  Neither are currently in Fedora.  I have filed this with upstream TDE:

https://bugs.trinitydesktop.org/show_bug.cgi?id=2556
Comment 7 Kevin Kofler 2015-12-10 04:16:08 EST
For anybody reading this, the WONTFIX is only for RHEL, I am fixing this in Fedora, see the Fedora trackers (arts: bug #1289237, kdelibs3: bug #1289235).

arts fix:
http://pkgs.fedoraproject.org/cgit/arts.git/plain/arts-1.5.10-CVE-2015-7543.patch
kdelibs3 fix: http://pkgs.fedoraproject.org/cgit/kdelibs3.git/plain/kdelibs-3.5.10-CVE-2015-7543.patch
Comment 8 Fedora Update System 2015-12-29 17:25:00 EST
kdelibs3-3.5.10-71.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-12-29 17:25:13 EST
arts-1.5.10-30.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-12-30 12:50:52 EST
kdelibs3-3.5.10-71.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-12-30 12:51:00 EST
arts-1.5.10-30.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.