Bug 918229 (CVE-2013-1820) - CVE-2013-1820 tuned: insecure permissions of pmqos-static.pid
Summary: CVE-2013-1820 tuned: insecure permissions of pmqos-static.pid
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-1820
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 915628 918233
Blocks: 918234
TreeView+ depends on / blocked
 
Reported: 2013-03-05 18:17 UTC by Vincent Danen
Modified: 2019-09-29 13:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 11:00:16 UTC


Attachments (Terms of Use)

Description Vincent Danen 2013-03-05 18:17:16 UTC
Finke Lamein reported that tuned's ktune service, which calls pmqos-static.py when the latency-performance profile is selected, would create its PID file with insecure permissions (0666).  A local user could use this flaw to kill arbitrary running processes when the ktune service is stopped.

NOTE: the latency-performance profile is not a default, and requires root privileges to enable ("tuned-adm profile latency-performance").  As well, ktune is not enabled by default.

Comment 1 Vincent Danen 2013-03-05 18:23:49 UTC
This is fixed upstream in the 1.x branch:

http://git.fedorahosted.org/cgit/tuned.git/patch/?id=c89ad2149ce0425ff790e9c44f5b682e1eee4edc

This does not affect 2.2.x, so Fedora 18 is not affected by this issue, however it does affect Fedora 17 (tuned/utils/daemon.py: _daemonize_fork()).

Comment 3 Vincent Danen 2013-03-05 18:27:43 UTC
Created tuned tracking bugs for this issue

Affects: fedora-17 [bug 918233]

Comment 4 Vincent Danen 2013-03-06 00:13:26 UTC
Acknowledgements:

Red Hat would like to thank Finke Lamein for reporting this issue.

Comment 5 Jaroslav Škarvada 2013-03-06 10:31:31 UTC
(In reply to comment #3)
> Created tuned tracking bugs for this issue
> 
> Affects: fedora-17 [bug 918233]

fedora-17 doesn't seem to be affected, only tuned < 2.X is affected and in fedora-17 updates there is already:
tuned-2.0.1-7.fc17

Comment 6 Jaroslav Škarvada 2013-03-06 10:36:53 UTC
(In reply to comment #5)
> (In reply to comment #3)
> > Created tuned tracking bugs for this issue
> > 
> > Affects: fedora-17 [bug 918233]
> 
> fedora-17 doesn't seem to be affected, only tuned < 2.X is affected and in
> fedora-17 updates there is already:
> tuned-2.0.1-7.fc17

tuned-2.0.1-7.fc17 is not affected by the pmqos-static.pid issue, but there is similar issue described in bug 845336.

Comment 7 Jaroslav Škarvada 2013-03-06 10:38:32 UTC
Do we need another CVE? Fedora 17 is affected by security bug 845336.

Comment 8 Vincent Danen 2013-03-06 17:56:52 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #3)
> > > Created tuned tracking bugs for this issue
> > > 
> > > Affects: fedora-17 [bug 918233]
> > 
> > fedora-17 doesn't seem to be affected, only tuned < 2.X is affected and in
> > fedora-17 updates there is already:
> > tuned-2.0.1-7.fc17
> 
> tuned-2.0.1-7.fc17 is not affected by the pmqos-static.pid issue, but there
> is similar issue described in bug 845336.

Did you miss this?

(In reply to comment #1)
> This is fixed upstream in the 1.x branch:
> 
> http://git.fedorahosted.org/cgit/tuned.git/patch/
> ?id=c89ad2149ce0425ff790e9c44f5b682e1eee4edc
> 
> This does not affect 2.2.x, so Fedora 18 is not affected by this issue,
> however it does affect Fedora 17 (tuned/utils/daemon.py: _daemonize_fork()).

It's affected, but the code is different.

Comment 9 Vincent Danen 2013-03-06 17:58:08 UTC
(In reply to comment #7)
> Do we need another CVE? Fedora 17 is affected by security bug 845336.

That should have had its own CVE to begin with.  I'll sort this out later today and get one assigned.

Comment 10 Jaroslav Škarvada 2013-03-08 07:59:58 UTC
(In reply to comment #8)
> > This does not affect 2.2.x, so Fedora 18 is not affected by this issue,
> > however it does affect Fedora 17 (tuned/utils/daemon.py: _daemonize_fork()).
> 
> It's affected, but the code is different.

I still haven't got it, please see the analysis in bug 918233 comment 6.


Note You need to log in before you can comment on or make changes to this bug.