1695948 – (CVE-2019-12779) CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files

Bug 1695948 (CVE-2019-12779) - CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files

Summary: CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-12779
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1714855 (view as bug list)
Depends On:	1695949 1714853 1714854
Blocks:	1695950
TreeView+	depends on / blocked

Reported:	2019-04-03 23:30 UTC by Pedro Sampaio
Modified:	2020-04-21 07:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:	libqb 1.0.4
Clone Of:
Environment:
Last Closed:	2019-11-06 00:52:31 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3610	0	None	None	None	2019-11-05 21:18:46 UTC
Red Hat Product Errata	RHSA-2020:1189	0	None	None	None	2020-03-31 19:33:24 UTC

Description Pedro Sampaio 2019-04-03 23:30:00 UTC

A flaw was found in libqb. Isecure handling of temporari files could be exploited by a local attacker to overwrite privileged system files.

Upstream issue:

https://github.com/ClusterLabs/libqb/issues/338

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1685297

Comment 1 Pedro Sampaio 2019-04-03 23:30:13 UTC

Created libqb tracking bugs for this issue:

Affects: fedora-all [bug 1695949]

Comment 4 Christine Caulfield 2019-04-16 08:10:43 UTC

v1.0.4 has been released upstream to fix these issues

Comment 6 Jan Pokorný [poki] 2019-04-26 09:17:18 UTC

Has a CVE been assigned for this flaw, yet?

FTR. v1.0.4 could technically solve the problem, but we don't want
to advertise that version anywhere, for being botched, rendering it's
prime use case (cluster stack) unusable -- subsequent v1.0.5 fixes that:
https://lists.clusterlabs.org/pipermail/users/2019-April/025712.html

Comment 9 Huzaifa S. Sidhpurwala 2019-05-29 04:12:23 UTC

Analysis:

The problem basically lies in how temporary files are handled by the libqb. 

1. Predictable file names are used in the world writeable directories namely /dev/shm and /tmp.
2. O_EXCL flag is not used when creating temp files.

This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Most likely attack scenario is when a privileged program linked against libqb uses temp files. Due to the race-condition it is possible that the attacker could overwrite arbitrary system files.

Patch:

https://github.com/ClusterLabs/libqb/commit/e322e98dc264bc5911d6fe1d371e55ac9f95a71e
https://github.com/ClusterLabs/libqb/commit/7cd7b06d52ac80c343f362c7e39ef75495439dfc

Comment 13 Jan Pokorný [poki] 2019-06-07 19:13:50 UTC

Re [comment 6]: as instructed, asked for a CVE from MITRE.
Will report back here.

Comment 14 Jan Pokorný [poki] 2019-06-08 05:37:22 UTC

This has been assigned CVE-2019-12779.

Comment 15 errata-xmlrpc 2019-11-05 21:18:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3610 https://access.redhat.com/errata/RHSA-2019:3610

Comment 16 Product Security DevOps Team 2019-11-06 00:52:31 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12779

Comment 17 errata-xmlrpc 2020-03-31 19:33:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1189 https://access.redhat.com/errata/RHSA-2020:1189

Comment 18 Huzaifa S. Sidhpurwala 2020-04-21 07:02:36 UTC

*** Bug 1714855 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.