Bug 863178 - CVE-2012-4480 mom: world-writable PID file [fedora-all]
Summary: CVE-2012-4480 mom: world-writable PID file [fedora-all]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mom
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Adam Litke
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 863126 CVE-2012-4480
TreeView+ depends on / blocked
 
Reported: 2012-10-04 15:38 UTC by Florian Weimer
Modified: 2012-12-20 15:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:50:44 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2012-10-04 15:38:32 UTC 
daemonize in src/momd calls os.umask(0) when creating the daemon process.  As a result, the PID file is world-writable.

This dates back to incorrect example code in APUE.  It's probably best to just drop the umask call.
Comment 1 Vincent Danen 2012-10-04 17:38:50 UTC 
This is indeed a security concern.  I'll be filing a CVE bug for this.

Adam, am I correct in assuming that you are upstream for mom?

I don't believe this will require much of an embargo; it's quite trivial to fix (removing os.umask() is sufficient to fix it).

I will, however, file our CVE bug as an embargoed bug for the time being, until we've heard back from you as to how you would to handle it.
Comment 2 Adam Litke 2012-10-04 18:00:51 UTC 
Hi.  Yes, I am upstream for MOM.  I can remove the umask call upstream.  How should we propagate the fix into Fedora?  I can just release a new upstream version which I had been planning to do soon anyway.  Is that okay?
Comment 3 Adam Litke 2012-10-04 21:52:39 UTC 
Fix comitted: http://gerrit.ovirt.org/#/c/8366/
Comment 4 Vincent Danen 2012-10-05 15:01:17 UTC 
Thanks, Adam.  Can you reference the CVE in any changelogs (maybe change the git commit)?  The CVE assigned is CVE-2012-4480.
Comment 5 Vincent Danen 2012-10-05 15:06:15 UTC 
(In reply to comment #2)
> Hi.  Yes, I am upstream for MOM.  I can remove the umask call upstream.  How
> should we propagate the fix into Fedora?  I can just release a new upstream
> version which I had been planning to do soon anyway.  Is that okay?

A new upstream version with the fix would be a fine way to resolve this.
Comment 6 Vincent Danen 2012-10-05 15:10:44 UTC 
I'm making this bug public and into a tracking bug now that the commit is already public.

Adam, please note that we would desire the fix in all supported versions of Fedora; it also seems that EPEL6 provides mom as well (although that will get a separate tracking bug).
Comment 7 Fedora Update System 2012-10-05 21:01:56 UTC 
mom-0.3.0-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc17
Comment 8 Fedora Update System 2012-10-05 21:03:41 UTC 
mom-0.3.0-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc18
Comment 9 Fedora Update System 2012-10-05 21:04:40 UTC 
mom-0.3.0-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.el6
Comment 10 Fedora Update System 2012-10-06 03:46:58 UTC 
Package mom-0.3.0-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mom-0.3.0-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15496/mom-0.3.0-1.fc17
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 15:50:49 UTC 
mom-0.3.0-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.