1919933 – (CVE-2020-8025) CVE-2020-8025 pcp: Insecure permission of /var/lib/pcp/tmp/ directories on SUSE

Bug 1919933 (CVE-2020-8025) - CVE-2020-8025 pcp: Insecure permission of /var/lib/pcp/tmp/ directories on SUSE

Summary: CVE-2020-8025 pcp: Insecure permission of /var/lib/pcp/tmp/ directories on SUSE

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-8025
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1919937
Blocks:	1919935
TreeView+	depends on / blocked

Reported:	2021-01-25 12:14 UTC by Dhananjay Arunesh
Modified:	2021-03-02 21:36 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-01-31 23:25:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2021-01-25 12:14:04 UTC

A vulnerability was found where the Base:System/permissions package could provide weaker than expected security, caused by an incorrect execution-assigned permissions flaw. An attacker could exploit this vulnerability to launch further attacks on the system

Comment 1 Dhananjay Arunesh 2021-01-25 12:17:19 UTC

Created pcp tracking bugs for this issue:

Affects: fedora-all [bug 1919937]

Comment 2 Nathan Scott 2021-01-25 17:24:56 UTC

What is the "permissions package" in this context?  From minimal google-ing, is it this...?

    https://software.opensuse.org/package/permissions

This package does not exist on Fedora or RHEL, AFAICT?

Comment 3 Andreas Gerstmayr 2021-01-25 17:27:31 UTC

I'm not aware of any "permissions" package in Fedora, can you point me to it?
afaics this CVE affects the https://github.com/openSUSE/permissions package, and this bug was fixed in https://github.com/openSUSE/permissions/commit/2a9b42a535a91e733e3efafdb28edf7499ab53ba

To me it looks like this package is only available for SuSE, and hence Fedora is not affected by this CVE.

A similar package is https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/pcp.fc, but that configuration seems right regarding /var/lib/pcp.

Comment 4 Nathan Scott 2021-01-31 23:25:24 UTC

As discussed in the two previous comments, this appears to have been opened in error - the package with the problem does not exist in either Fedora or RHEL.  Please feel free to re-open if this is incorrect or new information comes to light.

Comment 5 Dhananjay Arunesh 2021-02-03 19:06:45 UTC

In reply to comment #2:
> What is the "permissions package" in this context?  From minimal google-ing,
> is it this...?
> 
>     https://software.opensuse.org/package/permissions
> 
> This package does not exist on Fedora or RHEL, AFAICT?

Edited the comments0 with new update: A vulnerability was found where the Base:System/permissions package could provide weaker than expected security, caused by an incorrect execution-assigned permissions flaw. An attacker could exploit this vulnerability to launch further attacks on the system

Let me know if you need any more information.

Comment 6 Nathan Scott 2021-02-03 22:40:56 UTC

(In reply to Dhananjay Arunesh from comment #5)
> [...]
> Let me know if you need any more information.

We can't find any such package in Fedora/RHEL ... and certainly no reason for this BZ to have been assigned to pcp component.  It looks like a SUSE-specific issue AFAICT.

Comment 7 Tomas Hoger 2021-02-04 20:31:43 UTC

The important part of the CVE information that has not been propagated to this bug is the link to the relevant SUSE bug report:

https://bugzilla.suse.com/show_bug.cgi?id=1171883

That bug explains that in a non-default configuration of SUSE Linux permissions of the directory /var/lib/pcp/tmp/ and certain of its subdirectories can be overridden to more permissive root:root 1777, i.e. world writable with a sticky bit, similar to what's used for /tmp or /var/tmp.

The following comment has some notes on the possible impact:

https://bugzilla.suse.com/show_bug.cgi?id=1171883#c21

As noted in the comments above, this problem is specific to how pcp is packages in SUSE distributions and is not applicable to Red Hat Enterprise Linux or Fedora.

Note You need to log in before you can comment on or make changes to this bug.