Bug 288271 - (CVE-2007-5496) CVE-2007-5496 setroubleshoot log injection
CVE-2007-5496 setroubleshoot log injection
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20070912,source=secalert,pub...
: Security
Depends On: 421791
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-12 14:54 EDT by Mark J. Cox (Product Security)
Modified: 2016-06-17 17:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-29 03:52:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-09-12 14:54:57 EDT
reported via secalert@redhat.com:

        The graphical sealert program interprets records in the setroubleshoot
database as HTML when it displays them to the user. These records
include arbitrary attacker-controlled values such as the names of
processes and files involved in AVC denial events, and the sealert
daemon fails to properly escape those values before passing them to its
HTML parser. This allows an unprivileged local attacker to inject
arbitrary HTML tags into the alerts displayed by the sealert browser,
altering an alert's appearance or inserting arbitrary links. There is no
preview bar to show a link's target URL. When a link in the alert is
clicked, the program executes the following Python code, where 'arg2' is
the value of the link's href attribute:

        os.spawnl(os.P_NOWAIT, "/usr/bin/htmlview", "htmlview", arg2)

The htmlview script executes the user's preferred web browser, which
defaults to /usr/bin/firefox under RHEL 5. Since the attacker controls
only one argument, it does not appear to be possible to inject arbitrary
shell commands, or to cause Firefox to execute arbitrary JavaScript in
chrome:/// context. However, in combination with security flaws in
Firefox or any other web browser that htmlview may launch, this flaw
could be used to execute arbitrary code or steal credentials.
Comment 1 John Dennis 2007-09-14 18:40:03 EDT
This is a valid flaw. The HTML is generated from templates with instance
specific values from the AVC substituted into the template. The data inserted
into the template should have their HTML entities escaped prior to template
substitution.

This is an easy fix and the RHEL version could be easily patched. The flaw is
present in all current versions.
Comment 6 Mark J. Cox (Product Security) 2008-05-21 10:17:04 EDT
removing embargo
Comment 7 Tomas Hoger 2008-05-25 14:34:11 EDT
John, is setroubleshoot 2.0 first version to include a fix for this issue?

Is this the only relevant upstream commit?
  https://hosted.fedoraproject.org/setroubleshoot/changeset/956:72c554eb9543
Comment 8 John Dennis 2008-05-27 11:21:58 EDT
Yes, version 2.0 was the first public version to contain these fixes.
Comment 9 Red Hat Product Security 2008-05-29 03:52:55 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0061.html


Note You need to log in before you can comment on or make changes to this bug.