Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1348622 - (CVE-2014-9770) CVE-2014-9770 systemd: weak permissions for journal files
CVE-2014-9770 systemd: weak permissions for journal files
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160408,reported=2...
: Security
Depends On:
Blocks: 1323985
  Show dependency treegraph
 
Reported: 2016-06-21 11:22 EDT by Cedric Buissart
Modified: 2016-07-12 07:03 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-21 12:04:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Cedric Buissart 2016-06-21 11:22:30 EDT 
tmpfiles.d/systemd.conf in systemd v213 uses weak permissions for journal files under /run/log/journal/%m and /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files. 

seclist report:
http://seclists.org/oss-sec/2016/q2/34

Suse BTS:
https://bugzilla.suse.com/show_bug.cgi?id=972612

Introduced in v213 by commit:
https://github.com/systemd/systemd/commit/a606871da508995f5ede113a8fc6538afd98966c

Fixed in v214 by commit:
https://github.com/systemd/systemd/commit/176f2acf8dee45fee832fd2ab07243f63783a238
Comment 1 Cedric Buissart 2016-06-21 11:36:58 EDT 
Current RHEL version is shipped with v219, and is not affected by this issue.
Comment 2 Cedric Buissart 2016-06-22 04:56:24 EDT 
Additional precision :
The vulnerability was introduced in v213. Previous RHEL7 versions (7.0, 7.1, and their asynchronous releases) are based on v207 and v208, and are not affected either.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.