Bug 288221 (CVE-2007-5495) - CVE-2007-5495 setroubleshoot insecure logging
Summary: CVE-2007-5495 setroubleshoot insecure logging
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5495
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 421791
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-12 18:48 UTC by Mark J. Cox
Modified: 2019-09-29 12:21 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-29 07:52:44 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0061 0 normal SHIPPED_LIVE Moderate: setroubleshoot security and bug fix update 2008-05-21 14:25:59 UTC

Description Mark J. Cox 2007-09-12 18:48:53 UTC
reported via secalert@redhat.com


        By default, the sealert program writes diagnostic messages to the file
/tmp/sealert.log. It does not check to ensure that this file does not
already exist, or that it is not a symbolic link. An unprivileged local
attacker can exploit this flaw to cause arbitrary files writable by
other users to be overwritten when those users run sealert. The sealert
program is run automatically, without user action, as part of the
default RHEL 5 GNOME desktop session. It does not appear to be possible
for the attacker to cause arbitrary data to be written to sealert.log,
but the previous contents of the file are erased.'

Comment 1 John Dennis 2007-09-13 16:47:20 UTC
This is already addressed in the current upstream, the file is no longer created.

Comment 2 Steve Grubb 2007-09-13 19:02:43 UTC
What about RHEL5.1's version?

Comment 3 John Dennis 2007-09-14 22:35:46 UTC
The RHEL 5.1 version is the same as 5.0. It would be trival to patch RHEL to
turn off creation of this log file.

The only way for security sensitive information to be written to the file would
be if the verbose debug logging was turned on, but that requires root privledge
to modify the configuration. Tracebacks due to program exceptions which might be
written to the file do not contain user data.

Comment 7 Mark J. Cox 2008-05-21 14:17:39 UTC
removing embargo

Comment 8 Tomas Hoger 2008-05-25 18:33:57 UTC
John, can you please clarify which upstream setroubleshoot version first fixed
this flaw?  I see /tmp/sealert.log defined in config.py in 1.8.11 and is no
longer set in 1.9.4, but I fail to find versions in between to check which
version was the first to include this change.

Comment 9 John Dennis 2008-05-27 15:20:49 UTC
No, I don't recall the exact version this first appeared in. If it's important I
could research it.

Comment 10 Tomas Hoger 2008-05-27 16:03:08 UTC
Probably not if you agree with the assessment that fix occurred somewhere in
between 1.8.11 and 1.9.4, so that I managed to identify the right change that
was used to resolve this issue.

Is there any place where all previous upstream versions can be found?

Comment 11 Red Hat Product Security 2008-05-29 07:52:44 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0061.html




Note You need to log in before you can comment on or make changes to this bug.