Bug 1352437 (CVE-2016-6153) - CVE-2016-6153 sqlite: Tempdir selection vulnerability
Summary: CVE-2016-6153 sqlite: Tempdir selection vulnerability
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-6153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1352438 1352439 1352440 1352442 1352443
Blocks: 1352447
TreeView+ depends on / blocked
 
Reported: 2016-07-04 07:47 UTC by Adam Mariš
Modified: 2021-02-17 03:38 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-06 03:15:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2016-07-04 07:47:10 UTC
It was found that temporary directory search algorithm doesn't allow directories with only -wx permissions on Unix. Instead it falls back to '.' even if it's unsafe location. Although permissions of '.' are checked, result of that check is ignored.

Upstream patch:

https://www.sqlite.org/cgi/src/info/67985761aa93fb61
https://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
https://www.sqlite.org/cgi/src/info/614bb709d34e1148

CVE assignment:

http://seclists.org/oss-sec/2016/q3/1

External References:

https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt

Comment 1 Adam Mariš 2016-07-04 07:48:18 UTC
Created sqlite2 tracking bugs for this issue:

Affects: fedora-all [bug 1352439]
Affects: epel-all [bug 1352443]

Comment 2 Adam Mariš 2016-07-04 07:48:26 UTC
Created sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1352438]

Comment 3 Adam Mariš 2016-07-04 07:48:33 UTC
Created mingw-sqlite tracking bugs for this issue:

Affects: fedora-all [bug 1352440]
Affects: epel-7 [bug 1352442]

Comment 4 Doran Moppert 2016-07-06 03:01:45 UTC
The impact of this issue is certainly low, if it can even be considered a security flaw.

The hard-coded temp dir search path follows:

  1. temp_store_directory pragma (if defined)
  2. SQLITE_TMPDIR environment var
  3. TMPDIR env var
  4. /var/tmp
  5. /usr/tmp
  6. /tmp

Only if all of these are exhausted is the cwd used.  The impact of this bug is such that directories with permissions (relative to the user) of exactly -wx (writable, searchable but not readable) will be erroneously skipped.  Finally, a randomly-generated filename is used, appropriate permissions (0600) and open(2) flags are used, and the file is unlinked once sqlite is finished with it.

RHEL ships by default with mode 1777 on /var/tmp, /usr/tmp and /tmp.

For this flaw to have any impact on a RHEL system:

  - the sysadmin would need to have changed permissions on all three tmp directories
  - the affected application would need to chdir() to a dangerous location:  in particular, a network share with poor permissions management, or removable media
  - the application would need to use VACUUM, a temp database, a materialized view, statement journals or transient indices involving sensitive data
  - an attacker would need to race to access the file, or recover it from deleted blocks

RHEL's builds of sqlite do not override any default options nor patch the source in a way that impacts this issue.

Comment 6 Fedora Update System 2016-07-14 14:50:54 UTC
sqlite-3.13.0-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.