Bug 841702 (CVE-2012-3419) - CVE-2012-3419 pcp: privileged information diclosure flaw
Summary: CVE-2012-3419 pcp: privileged information diclosure flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-3419
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 840905 848451 848629 848630
Blocks: 841708
TreeView+ depends on / blocked
 
Reported: 2012-07-19 22:32 UTC by Vincent Danen
Modified: 2019-09-29 12:54 UTC (History)
6 users (show)

Fixed In Version: pcp 3.6.5
Clone Of:
Environment:
Last Closed: 2013-01-22 16:57:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2012-07-19 22:32:54 UTC 
Florian Weimer of the Red Hat Product Security Team discovered that pmcd (the PCP (Performance Co-Pilot) performance metrics collector daemon) exports part of the /proc file system, including privileged information that could be used to aid in bypassing ASLR, as well as full commandline information on running programs.
Comment 2 Huzaifa S. Sidhpurwala 2012-08-16 04:27:56 UTC 
Upstream patches:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=c20319d064af66dc5902661a3f05dccb24d7d177

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=279950ec0f5bb70967b2d5260ac7f075b8187ca1

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=8ff4984fee93bab09ea5c68b7ee18d1ab715bea1

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=372b1b0d34ae2a0e1df5b6f4a6d2b1a54c90bef3

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=b28bb3bd72ef9d6bd538d991efec34f65374b7df

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=f15378821b2d53ad00a8083653ea3ab4f8e63070

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=228d75bc7131251977df5ab33551e666920cfca9

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=d9c696f1e999ef22828d7b1485634b0998573d9f

This issue has been addressed in pcp-3.6.5
Comment 4 Huzaifa S. Sidhpurwala 2012-08-16 04:45:41 UTC 
Created pcp tracking bugs for this issue

Affects: epel-all [bug 848629]
Comment 5 Huzaifa S. Sidhpurwala 2012-08-17 04:52:05 UTC 
This issue was addressed in Fedora and EPEL via the following security updates:

Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16
Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17
Rawhide:   https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18

EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5
EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6
Comment 6 Fedora Update System 2012-08-20 10:54:39 UTC 
pcp-3.6.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-08-20 10:57:10 UTC 
pcp-3.6.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-08-21 18:34:20 UTC 
pcp-3.6.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-08-21 18:38:08 UTC 
pcp-3.6.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-09-18 00:00:58 UTC 
pcp-3.6.5-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.