Bug 882667 (CVE-2014-4038) - VUL-0: CVE-2014-4038: ppc64-diag: /tmp race in ppc64-diag
Summary: VUL-0: CVE-2014-4038: ppc64-diag: /tmp race in ppc64-diag
Status: RESOLVED FIXED
Alias: CVE-2014-4038
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-06-24
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:58365
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-13 15:01 UTC by Marcus Meissner
Modified: 2015-02-19 01:50 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
ppc64-diag-tmpraces.patch (2.74 KB, patch)
2014-06-16 12:01 UTC, Marcus Meissner 		Details | Diff
Updated patch (2.92 KB, patch)
2014-07-18 13:15 UTC, Johannes Segitz 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-06-13 15:01:45 UTC 
ppc64-diag-2.6.6/rtas_errd/diag_support.c

        char command[]="/usr/bin/find /proc/device-tree -name status -print > /tmp/get_dt_files";

        if (system(command) != 0) {
                fprintf(stderr, "get_dt_status find command failed\n");
                return NULL;
        }

        /* results of the find command */
        fp1 = fopen("/tmp/get_dt_files", "r");
        if (fp1 == 0) {
                fprintf(stderr, "open failed on /tmp/get_dt_files\n");
                return NULL;
        }



Please just use popen() and no /tmp file.
Comment 1 Marcus Meissner 2014-06-13 15:03:51 UTC 
see bug 882450
Comment 2 Marcus Meissner 2014-06-13 15:06:19 UTC 
scripts/ppc64_diag_mkrsrc  also uses /tmp unsafely.

lpd/test/lpd_ela_test.sh same (mkdir -p return value should be checked and handled)
Comment 3 Marcus Meissner 2014-06-16 12:01:04 UTC 
Created attachment 594718 [details]
ppc64-diag-tmpraces.patch

patch i did, untested.
Comment 4 Swamp Workflow Management 2014-06-16 22:00:12 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2014-06-17 07:58:47 UTC 
Date: Tue, 17 Jun 2014 01:17:57 -0400 (EDT)
From: cve-assign@mitre.org

The ppc64-diag unsafe uses of temporary directories in these three
scenarios:

  "> /tmp/get_dt_files" [ in rtas_errd/diag_support.c ]

  mkdir "/tmp/diagSEsnap", 0775;
  $general_eed_file = "/tmp/diagSEsnap/snapH.tar.gz";
  system("/usr/sbin/snap -o $general_eed_file 2>/dev/null 1>&2");
  [ in scripts/ppc64_diag_mkrsrc ]

  TMP_DIR="/var/tmp/ras"
  mkdir -p $TMP_DIR
  MESSAGE_FILE="$TMP_DIR/messages"
  [ in lpd/test/lpd_ela_test.sh - see Novell bug 882667 ]

are primarily of interest because of symlink following, and are all
assigned CVE-2014-4038.

A second CVE for the ppc64-diag product is for the choice of weak
directory/file permissions for the snapH.tar.gz archive including data
that is not locally world-readable (e.g., /var/log/messages). This is
CVE-2014-4039.
Comment 6 Swamp Workflow Management 2014-06-17 11:02:36 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57887
Comment 8 LTC BugProxy 2014-06-20 07:21:25 UTC 
Comment from  VASANT HEGDE 2014-06-20 01:24:17 EDT

Attached patch looks good ... SUSE, please proceed..
Comment 11 LTC BugProxy 2014-06-23 16:31:59 UTC 
------- Comment From hannsj_uhl@de.ibm.com 2014-06-20 07:18 EDT-------
Comment 19 Hanns-Joachim Uhl 2014-07-04 11:31:24 UTC 
(In reply to comment #8)
> Comment from  VASANT HEGDE 2014-06-20 01:24:17 EDT
> 
> Attached patch looks good ... SUSE, please proceed..
.
Hello SUSE / Marcus,
short question ..
... will this patch be included in SLES 12 RC1 ..? Please advise ..
Thanks in advance for your support.
Comment 21 Marcus Meissner 2014-07-07 13:05:49 UTC 
Hanns, yes, it will.
Comment 22 Jan Loeser 2014-07-07 14:22:55 UTC 
Done.
Comment 28 Marcus Meissner 2014-07-10 14:20:05 UTC 
thanks! reassign to security for tracking
Comment 31 Johannes Segitz 2014-07-18 13:15:22 UTC 
Created attachment 599147 [details]
Updated patch

Reworked the patch to include the permission fixes and to ensure that all pipes and open files get closed upon return
Comment 32 Marcus Meissner 2014-07-22 11:07:29 UTC 
in qa
Comment 33 Bernhard Wiedemann 2014-07-22 13:07:14 UTC 
This is an autogenerated message for OBS integration:
This bug (882667) was mentioned in
https://build.opensuse.org/request/show/241884 Factory / ppc64-diag
Comment 36 Swamp Workflow Management 2014-07-23 21:05:03 UTC 
SUSE-SU-2014:0928-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 882667
CVE References: CVE-2014-4038,CVE-2014-4039
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    ppc64-diag-2.6.1-0.14.1
Comment 37 Marcus Meissner 2014-07-26 08:12:06 UTC 
fixed
Comment 38 Swamp Workflow Management 2014-07-30 19:21:02 UTC 
openSUSE-SU-2014:0953-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 882667
CVE References: CVE-2014-4038,CVE-2014-4039
Sources used:
openSUSE 13.1 (src):    ppc64-diag-2.6.1-2.4.1
Comment 39 Swamp Workflow Management 2014-07-31 06:19:56 UTC 
openSUSE-SU-2014:0953-2: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 882667
CVE References: CVE-2014-4038,CVE-2014-4039
Sources used:
openSUSE 12.3 (src):    ppc64-diag-2.6.0-2.4.1