Bug 1695948 (CVE-2019-12779) - CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files
Summary: CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files
Keywords:
Status: NEW
Alias: CVE-2019-12779
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190403,repor...
Depends On: 1714853 1714854 1695949
Blocks: 1695950
TreeView+ depends on / blocked
 
Reported: 2019-04-03 23:30 UTC by Pedro Sampaio
Modified: 2019-07-26 21:36 UTC (History)
9 users (show)

Fixed In Version: libqb 1.0.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-04-03 23:30:00 UTC
A flaw was found in libqb. Isecure handling of temporari files could be exploited by a local attacker to overwrite privileged system files.

Upstream issue:

https://github.com/ClusterLabs/libqb/issues/338

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1685297

Comment 1 Pedro Sampaio 2019-04-03 23:30:13 UTC
Created libqb tracking bugs for this issue:

Affects: fedora-all [bug 1695949]

Comment 4 Christine Caulfield 2019-04-16 08:10:43 UTC
v1.0.4 has been released upstream to fix these issues

Comment 6 Jan Pokorný [poki] 2019-04-26 09:17:18 UTC
Has a CVE been assigned for this flaw, yet?

FTR. v1.0.4 could technically solve the problem, but we don't want
to advertise that version anywhere, for being botched, rendering it's
prime use case (cluster stack) unusable -- subsequent v1.0.5 fixes that:
https://lists.clusterlabs.org/pipermail/users/2019-April/025712.html

Comment 9 Huzaifa S. Sidhpurwala 2019-05-29 04:12:23 UTC
Analysis:

The problem basically lies in how temporary files are handled by the libqb. 

1. Predictable file names are used in the world writeable directories namely /dev/shm and /tmp.
2. O_EXCL flag is not used when creating temp files.

This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Most likely attack scenario is when a privileged program linked against libqb uses temp files. Due to the race-condition it is possible that the attacker could overwrite arbitrary system files.

Patch:

https://github.com/ClusterLabs/libqb/commit/e322e98dc264bc5911d6fe1d371e55ac9f95a71e
https://github.com/ClusterLabs/libqb/commit/7cd7b06d52ac80c343f362c7e39ef75495439dfc

Comment 13 Jan Pokorný [poki] 2019-06-07 19:13:50 UTC
Re [comment 6]: as instructed, asked for a CVE from MITRE.
Will report back here.

Comment 14 Jan Pokorný [poki] 2019-06-08 05:37:22 UTC
This has been assigned CVE-2019-12779.


Note You need to log in before you can comment on or make changes to this bug.