A Improper Control of Generation of Code vulnerability in the rpm packaging of pcp allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh. References: https://bugzilla.suse.com/show_bug.cgi?id=1152763
Created pcp tracking bugs for this issue: Affects: fedora-all [bug 1811704]
This issue was resolved some time ago by removing compatibility code in PCP v5 - all current Fedora versions are unaffected by the issue. commit 34c83f7ee46224fe410572f33c57a739f7bd044f Author: Nathan Scott <nathans> Date: Sun Oct 6 14:10:40 2019 +1100 build: drop old config file transition code from rpm specs Its been many years since this transition was done, good time now with pcp-5.0.0 to full this old shell code. Also remove the Fedora crontab transition logic as thats completely moved over to systemd now.
Please do not close this bug as this is not only Fedora specific, but it is used to describe the flaw. For the Fedora tracker see bug 1811704.
Ah, my mistake - apologies. What information do you need from me? (needinfo? set)
AFAICT nothing more is needed from me at this time, clearing 'needinfo'.
Upstream commit for this issue: https://github.com/performancecopilot/pcp/commit/34c83f7ee46224fe410572f33c57a739f7bd044f
There's an issue with pcp package, during pre installation phase the rpm copies some scripts from predetermined locations. Those scripts are further installed with permission to be executed as root user during post installation phase. An attacker may leverage this flaw by adding malicious code on certain scripts or manipulating those file paths, resulting in privilege escalation during package installation.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3869 https://access.redhat.com/errata/RHSA-2020:3869
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3695