Bug 863178 - CVE-2012-4480 mom: world-writable PID file [fedora-all]
CVE-2012-4480 mom: world-writable PID file [fedora-all]
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mom (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Adam Litke
Fedora Extras Quality Assurance
: Security, SecurityTracking
Depends On:
Blocks: 863126 CVE-2012-4480
  Show dependency treegraph
 
Reported: 2012-10-04 11:38 EDT by Florian Weimer
Modified: 2012-12-20 10:50 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:50:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2012-10-04 11:38:32 EDT
daemonize in src/momd calls os.umask(0) when creating the daemon process.  As a result, the PID file is world-writable.

This dates back to incorrect example code in APUE.  It's probably best to just drop the umask call.
Comment 1 Vincent Danen 2012-10-04 13:38:50 EDT
This is indeed a security concern.  I'll be filing a CVE bug for this.

Adam, am I correct in assuming that you are upstream for mom?

I don't believe this will require much of an embargo; it's quite trivial to fix (removing os.umask() is sufficient to fix it).

I will, however, file our CVE bug as an embargoed bug for the time being, until we've heard back from you as to how you would to handle it.
Comment 2 Adam Litke 2012-10-04 14:00:51 EDT
Hi.  Yes, I am upstream for MOM.  I can remove the umask call upstream.  How should we propagate the fix into Fedora?  I can just release a new upstream version which I had been planning to do soon anyway.  Is that okay?
Comment 3 Adam Litke 2012-10-04 17:52:39 EDT
Fix comitted: http://gerrit.ovirt.org/#/c/8366/
Comment 4 Vincent Danen 2012-10-05 11:01:17 EDT
Thanks, Adam.  Can you reference the CVE in any changelogs (maybe change the git commit)?  The CVE assigned is CVE-2012-4480.
Comment 5 Vincent Danen 2012-10-05 11:06:15 EDT
(In reply to comment #2)
> Hi.  Yes, I am upstream for MOM.  I can remove the umask call upstream.  How
> should we propagate the fix into Fedora?  I can just release a new upstream
> version which I had been planning to do soon anyway.  Is that okay?

A new upstream version with the fix would be a fine way to resolve this.
Comment 6 Vincent Danen 2012-10-05 11:10:44 EDT
I'm making this bug public and into a tracking bug now that the commit is already public.

Adam, please note that we would desire the fix in all supported versions of Fedora; it also seems that EPEL6 provides mom as well (although that will get a separate tracking bug).
Comment 7 Fedora Update System 2012-10-05 17:01:56 EDT
mom-0.3.0-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc17
Comment 8 Fedora Update System 2012-10-05 17:03:41 EDT
mom-0.3.0-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.fc18
Comment 9 Fedora Update System 2012-10-05 17:04:40 EDT
mom-0.3.0-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mom-0.3.0-1.el6
Comment 10 Fedora Update System 2012-10-05 23:46:58 EDT
Package mom-0.3.0-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mom-0.3.0-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15496/mom-0.3.0-1.fc17
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 10:50:49 EST
mom-0.3.0-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.