Re: Problems in automatic crash analysis frameworks

[Florian Weimer <fweimer () redhat com>]

On 04/23/2015 09:10 PM, Florian Weimer wrote:
> On 04/17/2015 09:16 PM, Florian Weimer wrote:
> > A quick update on the abrt situation.
>
> Another update.  We now have a public tracking bug listing the issues:
>
>   <https://bugzilla.redhat.com/show_bug.cgi?id=1214172>

We have identified one more issue:

abrt-action-install-debuginfo-to-abrt-cache is a SUID wrapper which
incorrectly filters the process environment (umask and truncated command
line arguments such as “--ca“) before invoking the actual program.  This
allows a local attacker to create a world-writable problem directory and
eventually escalate their privileges to root.  (Other attacks against
the cpio extraction might be feasible.)  CVE-2015-3159
<https://bugzilla.redhat.com/show_bug.cgi?id=1216962>

Jakub Filak has created several pull requests fixing all the issues
identified so far:

  <https://github.com/abrt/abrt/pull/950>
  <https://github.com/abrt/abrt/pull/955>
  <https://github.com/abrt/libreport/pull/346>

There is a public build (against EPEL7) of the consolidated fixes,
available as a Copr repository:

  <http://copr.fedoraproject.org/coprs/jfilak/abrt-hardened/>

This also includes the consolidated fixes.

At this stage, we'd appreciate additional comments/reviews.

-- 
Florian Weimer / Red Hat Product Security