811369 – (CVE-2013-1090) VUL-0: CVE-2013-1090: horde5: incorrect ownership of /etc/apache2/vhosts.d

Bug 811369 (CVE-2013-1090) - VUL-0: CVE-2013-1090: horde5: incorrect ownership of /etc/apache2/vhosts.d

Summary: VUL-0: CVE-2013-1090: horde5: incorrect ownership of /etc/apache2/vhosts.d

Status:	RESOLVED FIXED

Alias:	CVE-2013-1090

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Ralf Lang
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-03-25 12:55 UTC by Marcus Meissner
Modified:	2015-02-08 18:41 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-03-25 12:55:06 UTC

found conflict of apache2-2.4.3-1.1.x86_64 with horde5-5.0.2-3.1.noarch:
- /etc/apache2/vhosts.d [mode mismatch: 40755 0 root:root, 40750 0
wwwrun:root]


This would allow privilege escalation from wwwrun to root.


This is due to the weird %files seciton

## the config stuff in /etc
%defattr(0640, wwwrun, root, 0750)
%dir /etc/horde
%dir /etc/horde/horde
%dir /etc/horde/horde/registry.d
%dir /etc/horde/apache-snippets.d
%config /etc/horde/apache-snippets.d/horde.conf
%config(noreplace) /etc/horde/horde/conf.php
%config(noreplace) /etc/horde/horde/conf.bak.php
%config(noreplace) /etc/horde/horde/registry.local.php
%config(noreplace) /etc/horde/horde/prefs.local.php
%dir /etc/apache2
%dir /etc/apache2/vhosts.d
%config /etc/apache2/vhosts.d/horde.vhost.conf.template


The /etc/apache2 stuff must be moved _before_ the %defattr(...wwwrun...) line

Comment 1 Marcus Meissner 2013-03-25 13:08:02 UTC

I have assigned CVE-2013-1090 from the SUSE CVE Pool, as this is a SUSE specific packaging issue.

Comment 2 Marcus Meissner 2013-03-25 13:13:35 UTC

I also think the horde config should probably not be owned by wwwrun either.

Comment 3 Swamp Workflow Management 2013-03-25 23:00:21 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2013-04-04 14:38:32 UTC

 /etc/horde/ i think also should not be owned by wwwwrun

Comment 5 Marcus Meissner 2013-11-05 09:17:53 UTC

Can you take care of this Ralf?

Comment 6 Ralf Lang 2013-11-05 09:49:03 UTC

Yes.

Comment 7 Ralf Lang 2013-11-05 09:55:51 UTC

At least the conf.php files in /etc/horde/* should be writable and/or createable by the www user, otherwise crippling the admin experience. They are autogenerated and somewhat cryptic, you would not want to edit them by hand.

Comment 8 Ralf Lang 2013-11-11 15:46:29 UTC

mr 206500

Comment 9 Swamp Workflow Management 2013-12-04 20:04:43 UTC

openSUSE-SU-2013:1826-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 811369
CVE References: CVE-2013-1090
Sources used:
openSUSE 12.3 (src):    horde5-5.0.2-2.4.1

Comment 10 Ralf Lang 2015-02-08 18:41:27 UTC

There was a MR in 2013