It was found that Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default. This happens when calling db_create() with dbenv=NULL; or using the dbm_open() function. References: http://seclists.org/oss-sec/2017/q2/452 http://www.postfix.org/announcements/postfix-3.2.2.html Proposed patch: http://seclists.org/oss-sec/2017/q2/475
Created libdb tracking bugs for this issue: Affects: fedora-all [bug 1464033] Created libdb4 tracking bugs for this issue: Affects: fedora-all [bug 1464035] Created postfix tracking bugs for this issue: Affects: fedora-all [bug 1464034]
Easy to reproduce with a simple application that creates and opens a database without explicitly specifying a database environment - a private (in-memory) environment is created instead. The patch makes sense to me (functionality-wise, the actual change would be better located elsewhere), libdb should not try parsing DB_HOME/DB_CONFIG if DB_HOME is not set. Will touch base with upstream first to see if they have any plans for fixing this yet.
(In reply to Petr Kubat from comment #2) > Easy to reproduce with a simple application that creates and opens a > database without explicitly specifying a database environment - a private > (in-memory) environment is created instead. > > The patch makes sense to me (functionality-wise, the actual change would be > better located elsewhere), libdb should not try parsing DB_HOME/DB_CONFIG if > DB_HOME is not set. > > Will touch base with upstream first to see if they have any plans for fixing > this yet. Any response so far?
(In reply to Stefan Cornelius from comment #3) > Any response so far? Nothing other that they see it as an issue themselves and that they will sent us the patch once they have it fixed. I have provided them with the reproducer I used and the downstream patch I have hotfixed the issue with so hopefully this should not take long.
Patch used by Fedora: http://pkgs.fedoraproject.org/cgit/rpms/libdb.git/commit/?id=8047fa8580659fcae740c25e91b490539b8453eb
libdb upstream got back to me today saying they are ok with the patch I sent them (and use for our version of libdb) and that we should keep on using it.
Reminds me of https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/531976 CVE-2010-0826 https://bugzilla.redhat.com/show_bug.cgi?id=580187
Statement: This issue affects the versions of libdb as shipped with Red Hat Satellite 6.0, 6.1 and 6.2. This package no longer ships with Satellite 6.3. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0366
Mitigation: Do not use an application using libdb if an untrusted user can create a DB_CONFIG file in its working directory.