Bug 1695948 (CVE-2019-12779) - CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files
Summary: CVE-2019-12779 libqb: Insecure treatment of IPC (temporary) files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12779
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1714855 (view as bug list)
Depends On: 1695949 1714853 1714854
Blocks: 1695950
TreeView+ depends on / blocked
 
Reported: 2019-04-03 23:30 UTC by Pedro Sampaio
Modified: 2020-04-21 07:02 UTC (History)
10 users (show)

Fixed In Version: libqb 1.0.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 00:52:31 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3610 None None None 2019-11-05 21:18:46 UTC
Red Hat Product Errata RHSA-2020:1189 None None None 2020-03-31 19:33:24 UTC

Description Pedro Sampaio 2019-04-03 23:30:00 UTC
A flaw was found in libqb. Isecure handling of temporari files could be exploited by a local attacker to overwrite privileged system files.

Upstream issue:

https://github.com/ClusterLabs/libqb/issues/338

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1685297

Comment 1 Pedro Sampaio 2019-04-03 23:30:13 UTC
Created libqb tracking bugs for this issue:

Affects: fedora-all [bug 1695949]

Comment 4 Christine Caulfield 2019-04-16 08:10:43 UTC
v1.0.4 has been released upstream to fix these issues

Comment 6 Jan Pokorný [poki] 2019-04-26 09:17:18 UTC
Has a CVE been assigned for this flaw, yet?

FTR. v1.0.4 could technically solve the problem, but we don't want
to advertise that version anywhere, for being botched, rendering it's
prime use case (cluster stack) unusable -- subsequent v1.0.5 fixes that:
https://lists.clusterlabs.org/pipermail/users/2019-April/025712.html

Comment 9 Huzaifa S. Sidhpurwala 2019-05-29 04:12:23 UTC
Analysis:

The problem basically lies in how temporary files are handled by the libqb. 

1. Predictable file names are used in the world writeable directories namely /dev/shm and /tmp.
2. O_EXCL flag is not used when creating temp files.

This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Most likely attack scenario is when a privileged program linked against libqb uses temp files. Due to the race-condition it is possible that the attacker could overwrite arbitrary system files.

Patch:

https://github.com/ClusterLabs/libqb/commit/e322e98dc264bc5911d6fe1d371e55ac9f95a71e
https://github.com/ClusterLabs/libqb/commit/7cd7b06d52ac80c343f362c7e39ef75495439dfc

Comment 13 Jan Pokorný [poki] 2019-06-07 19:13:50 UTC
Re [comment 6]: as instructed, asked for a CVE from MITRE.
Will report back here.

Comment 14 Jan Pokorný [poki] 2019-06-08 05:37:22 UTC
This has been assigned CVE-2019-12779.

Comment 15 errata-xmlrpc 2019-11-05 21:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3610 https://access.redhat.com/errata/RHSA-2019:3610

Comment 16 Product Security DevOps Team 2019-11-06 00:52:31 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12779

Comment 17 errata-xmlrpc 2020-03-31 19:33:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1189 https://access.redhat.com/errata/RHSA-2020:1189

Comment 18 Huzaifa S. Sidhpurwala 2020-04-21 07:02:36 UTC
*** Bug 1714855 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.