oss-sec mailing list archives
Re: CVE request: multiple /tmp races in ppc64-diag
From: "Vincent Danen" <vdanen () redhat com>
Date: Wed, 18 Jun 2014 14:42:33 -0600
On 06/16/2014, at 23:17 PM, cve-assign () mitre org wrote:
https://bugzilla.novell.com/show_bug.cgi?id=882667 https://bugzilla.redhat.com/show_bug.cgi?id=1109371In the case of rtas_errd/prrn_hotplug, mktemp is used but is assumed to have succeeded; there is no check for the return value.Are you reporting this as a prrn_hotplug vulnerability? If it were a vulnerability, it would have a separate CVE ID. We didn't test the code, but it looks more like an opportunity for a non-security enhancement or maybe a bug fix. Our guess is: 1. If the return value is nonzero, stdout is an empty string. 2. All of the ">> $TMPFILE" will fail, and won't write anything into any file. 3. The outcome is that /var/log/prrn_log doesn't have log information about what happened. We don't know of any direct security implications. 4. Possibly the code should check the return value and print something like "mktemp failed - maybe you're out of /tmp disk space?" but it might be better to let the rest of the script run anyway (i.e., not abort after that error condition). At least for now, there is no CVE ID for prrn_hotplug.
That sounds fine to me.
I don't know if the data in /tmp/diagSEsnap is sensitive or notmkdir "/tmp/diagSEsnap", 0775; $general_eed_file = "/tmp/diagSEsnap/snapH.tar.gz"; system("/usr/sbin/snap -o $general_eed_file 2>/dev/null 1>&2"); This seems to be similar to the CVE-2014-3925 sosreport issue. snapH.tar.gz apparently will include /etc/fstab and therefore might include a password. http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-54819 says "When you report a problem to IBM Technical Support, run the snap utility and send the ... file to them." In addition, snapH.tar.gz apparently will include /var/log/messages, which traditionally is not supposed to be a world-readable file. (snap and sosreport aren't derivatives of the same code.) Also, the question of whether "/usr/sbin/snap -o $general_eed_file" is exploitable may depend on the behavior of snap. Apparently, snap does check whether the -o output file exists but doesn't avoid TOCTOU problems. Arguably, snap isn't responsible for avoiding TOCTOU problems because it's not inherently designed for use with untrusted output filenames. So, three CVEs seems to be the right number here. The ppc64-diag unsafe uses of temporary directories in these three scenarios: "> /tmp/get_dt_files" [ in rtas_errd/diag_support.c ] mkdir "/tmp/diagSEsnap", 0775; $general_eed_file = "/tmp/diagSEsnap/snapH.tar.gz"; system("/usr/sbin/snap -o $general_eed_file 2>/dev/null 1>&2"); [ in scripts/ppc64_diag_mkrsrc ] TMP_DIR="/var/tmp/ras" mkdir -p $TMP_DIR MESSAGE_FILE="$TMP_DIR/messages" [ in lpd/test/lpd_ela_test.sh - see Novell bug 882667 ] are primarily of interest because of symlink following, and are all assigned CVE-2014-4038. A second CVE for the ppc64-diag product is for the choice of weak directory/file permissions for the snapH.tar.gz archive including data that is not locally world-readable (e.g., /var/log/messages). This is CVE-2014-4039. A third CVE, CVE-2014-4040, is assigned for snap itself. snap can be found at http://sourceforge.net/projects/powerpc-utils (i.e., it's not part of the ppc64-diag product). This CVE is the one analogous to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3925 (i.e., it includes the "cleartext passwords ... lacks a warning" rationale). CVE-2014-4039 and CVE-2014-4040 are vulnerabilities in different products and can be addressed independently. For example, snapH.tar.gz could have restrictive local permissions and still be sent to a remote destination without review. Alternatively, snapH.tar.gz could continue to have weak local permissions but snap could require the user to acknowledge a warning about off-site distribution of an fstab password, etc.
Great, thanks for this. -- Vincent Danen / Red Hat Product Security
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: multiple /tmp races in ppc64-diag Vincent Danen (Jun 13)
- Re: CVE request: multiple /tmp races in ppc64-diag cve-assign (Jun 16)
- Re: CVE request: multiple /tmp races in ppc64-diag Vincent Danen (Jun 18)
- Re: CVE request: multiple /tmp races in ppc64-diag cve-assign (Jun 16)