sos-collector does not set any permission when creating new files, thus the default umask is used, making all newly created files readable by all local users. Given the delicacy of the data collected by sos-collector, all files created by the tool, including the sos-reports collected from the cluster machines, should be accessible only the to current user. A local attacker can use this flaw to read sensitive information collected from other machines when a legit user runs sos-collector. Upstream patch: https://github.com/sosreport/sos-collector/commit/72058f9253e7ed8c7243e2ff76a16d97b03d65ed
Acknowledgments: Name: Riccardo Schirone (Red Hat Product Security)
Created sos-collector tracking bugs for this issue: Affects: fedora-all [bug 1633659]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3663 https://access.redhat.com/errata/RHSA-2018:3663