Bug 1280543 (CVE-2015-7543) - CVE-2015-7543 arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
Summary: CVE-2015-7543 arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-7543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20151207,repor...
Depends On: 1289236 1289238 1289235 1289237
Blocks: 1281443
TreeView+ depends on / blocked
 
Reported: 2015-11-12 03:06 UTC by Yaakov Selkowitz
Modified: 2019-06-08 20:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-08 05:44:49 UTC


Attachments (Terms of Use)

Description Yaakov Selkowitz 2015-11-12 03:06:51 UTC
Description of problem:
aRts and kdelibs3 each use their own copy of the same "lnusertemp" code to create a user-specific socket directory for IPC.  If the usual location, which is well-known, is unavailable, a random directory name is created with mktemp(3).  A malicious process could therefore create the well-known location to force the race condition inherit in mktemp(3), and then potentially beat it in order to hijack the IPC of aRts and/or KDE.

Version-Release number of selected component (if applicable):
arts-1.5.10-26.fc22.x86_64
kdelibs3-3.5.10-68.fc22.x86_64
(I believe all versions of Fedora are affected, as well as RHEL 5 and 6)

Steps to Reproduce:
(Warning: Do NOT try this during a KDE session!)
0. KSOCKETDIR=/tmp/ksocket-`id -un`
1. rm -f ~/.kde/socket-$HOSTNAME # (not strictly necessary but does cause this to be logged with 'artsd -l 0')
2. rm -fr $KSOCKETDIR && touch $KSOCKETDIR
OR: su -c "mkdir -m 0700 $KSOCKETDIR" [OTHER_USER]
3. artsd -l 0 -a alsa
OR: kdeinit
OR: lnusertemp socket

Actual results:
A ${KSOCKETDIR}XXXXXX directory is created by mktemp(3), with all the usual implications, then symlinked to ~/.kde/socket-$HOSTNAME.

Expected results:
mkdtemp(3) should be used to create the fallback socket directory instead of mktemp(3).

Additional info:
This was fixed upstream in commit cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 (together with a bunch of unrelated changes) during the Qt3->4 porting phase, so kdelibs-4.x should never have been affected by itself.  However, if the socket directory is created first by aRts or KDE3, as long as it exists it would also be used by KDE4 processes.

The relevant part of said commit should backport easily to both arts (mcop/mcoputils.cc) and kdelibs3 (kinit/lnusertemp.c):

https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c

Comment 1 Kurt Seifried 2015-12-07 17:37:15 UTC
Created kdelibs3 tracking bugs for this issue:

Affects: fedora-all [bug 1289235]
Affects: epel-7 [bug 1289236]

Comment 2 Kurt Seifried 2015-12-07 17:37:20 UTC
Created arts tracking bugs for this issue:

Affects: fedora-all [bug 1289237]
Affects: epel-7 [bug 1289238]

Comment 3 Kevin Kofler 2015-12-07 18:40:59 UTC
Yes, that patch (fairly trivial at that) should fix it, let's apply it ASAP.

Comment 4 Yaakov Selkowitz 2015-12-08 05:11:36 UTC
For the sake of public disclosure, TDE arts and tdelibs, being forks of the above (and unchanged wrt this particular code), are similarly affected.  Neither are currently in Fedora.  I have filed this with upstream TDE:

https://bugs.trinitydesktop.org/show_bug.cgi?id=2556

Comment 7 Kevin Kofler 2015-12-10 09:16:08 UTC
For anybody reading this, the WONTFIX is only for RHEL, I am fixing this in Fedora, see the Fedora trackers (arts: bug #1289237, kdelibs3: bug #1289235).

arts fix:
http://pkgs.fedoraproject.org/cgit/arts.git/plain/arts-1.5.10-CVE-2015-7543.patch
kdelibs3 fix: http://pkgs.fedoraproject.org/cgit/kdelibs3.git/plain/kdelibs-3.5.10-CVE-2015-7543.patch

Comment 8 Fedora Update System 2015-12-29 22:25:00 UTC
kdelibs3-3.5.10-71.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-12-29 22:25:13 UTC
arts-1.5.10-30.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-12-30 17:50:52 UTC
kdelibs3-3.5.10-71.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-12-30 17:51:00 UTC
arts-1.5.10-30.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.