daemonize in src/momd calls os.umask(0) when creating the daemon process. As a result, the PID file is world-writable.
This dates back to incorrect example code in APUE. It's probably best to just drop the umask call.
This is indeed a security concern. I'll be filing a CVE bug for this.
Adam, am I correct in assuming that you are upstream for mom?
I don't believe this will require much of an embargo; it's quite trivial to fix (removing os.umask() is sufficient to fix it).
I will, however, file our CVE bug as an embargoed bug for the time being, until we've heard back from you as to how you would to handle it.
Hi. Yes, I am upstream for MOM. I can remove the umask call upstream. How should we propagate the fix into Fedora? I can just release a new upstream version which I had been planning to do soon anyway. Is that okay?
Fix comitted: http://gerrit.ovirt.org/#/c/8366/
Thanks, Adam. Can you reference the CVE in any changelogs (maybe change the git commit)? The CVE assigned is CVE-2012-4480.
(In reply to comment #2)
> Hi. Yes, I am upstream for MOM. I can remove the umask call upstream. How
> should we propagate the fix into Fedora? I can just release a new upstream
> version which I had been planning to do soon anyway. Is that okay?
A new upstream version with the fix would be a fine way to resolve this.
I'm making this bug public and into a tracking bug now that the commit is already public.
Adam, please note that we would desire the fix in all supported versions of Fedora; it also seems that EPEL6 provides mom as well (although that will get a separate tracking bug).
mom-0.3.0-1.fc17 has been submitted as an update for Fedora 17.
mom-0.3.0-1.fc18 has been submitted as an update for Fedora 18.
mom-0.3.0-1.el6 has been submitted as an update for Fedora EPEL 6.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mom-0.3.0-1.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
mom-0.3.0-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.