Bug 1292432 (CVE-2015-1336) - CVE-2015-1336 man-db: TOCTOU bug when processing catman pages
Summary: CVE-2015-1336 man-db: TOCTOU bug when processing catman pages
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-1336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1292433
Blocks: 1292434
TreeView+ depends on / blocked
 
Reported: 2015-12-17 12:49 UTC by Martin Prpič
Modified: 2021-02-17 04:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-07 06:22:58 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Prpič 2015-12-17 12:49:01 UTC
The following flaw was found in man-db:

The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man.

Originally filed against Ubuntu:

https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1482786

External References:

http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

Comment 1 Martin Prpič 2015-12-17 12:49:30 UTC
Created man-db tracking bugs for this issue:

Affects: fedora-all [bug 1292433]

Comment 2 Nikola Forró 2016-01-04 13:26:06 UTC
Hello,

It appears to me that Fedora and RHEL7 man-db packages are not affected by this, since there is no cleanup job for old catman pages there:
http://pkgs.fedoraproject.org/cgit/man-db.git/tree/man-db.crondaily?h=f23

Comment 3 Doran Moppert 2016-06-07 06:15:54 UTC
Nikola's comment above is correct:  man-db in rhel and fedora are not
affected.  The man-db crontab in both doesn't chown thus lacks the
TOCTOU issue, plus (at least on rhel) /var/cache/man lacks the setgid
bit which makes the other part of this attack possible.


Note You need to log in before you can comment on or make changes to this bug.