1158763 – (CVE-2019-18900) VUL-0: CVE-2019-18900: libzypp: /var/lib/YaST2/cookies is world readable

Bug 1158763 (CVE-2019-18900) - VUL-0: CVE-2019-18900: libzypp: /var/lib/YaST2/cookies is world readable

Summary: VUL-0: CVE-2019-18900: libzypp: /var/lib/YaST2/cookies is world readable

Status:	RESOLVED FIXED

Alias:	CVE-2019-18900

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/248554/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-18900:4.0:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-12-09 09:42 UTC by Matthias Gerstner
Modified:	2024-04-15 14:59 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2019-12-09 09:42:45 UTC

I noticed that libzypp configures curl to store cookies in
/var/lib/YaST2/cookies, which has the following permissions:

-rw-r--r-- 1 root root 331  5. Dez 12:33 cookies

In one of my test setups cookies for scc.suse.com are stored in this file. I'm
not completely sure about their purpose and sensitivity. But it might be a
good idea to keep those cookies inaccessible to regular users in the system.

There could be situations where unprivileged users are not supposed to get
access to a subscription, for example. It also means that high risk local
accounts like nobody can get access to this information.

Comment 1 Michael Andres 2019-12-09 09:55:59 UTC

Frankly I was not aware that /var/lib/YaST2/cookies is used in the curl backend.

@yast-maintainers: Is this file and somehow referenced/needed by yast?

Comment 2 Michael Andres 2019-12-09 14:55:57 UTC

According to bug#573897 they are used for cookie based authentication, so readability should be restricted.

Comment 3 Michael Andres 2019-12-10 13:07:54 UTC

https://github.com/openSUSE/libzypp/pull/196

Comment 4 Michael Andres 2019-12-10 14:13:39 UTC

The cookie file is now 0600 (also applied to existing files).
Fixed in libzypp-17.18.2 (TW,SLE15*)

Comment 5 Michael Andres 2019-12-10 14:17:29 UTC

Also fixed:
  SLE-12-SP2+     libzypp 16.21. 2   
  SLE-12-SP1      libzypp 15.28. 4   
  SLE-12          libzypp 14.48. 4

Comment 6 Matthias Gerstner 2019-12-10 15:03:28 UTC

Thanks a lot for working on this so quickly. I'm reopening and assigning to
security-team, they still need to evaluate this issue in their systems and
check all supported codestreams. Maybe we'll assign one of SUSE's CVEs for
this.

Comment 7 Johannes Segitz 2019-12-11 08:20:57 UTC

Please use CVE-2019-18900 to track this.

@ma: can you please add this to the changes you already made? I want to make sure that this is recognized as having security impact

Comment 8 Michael Andres 2019-12-11 09:05:54 UTC

Added CVE-2019-18900 to the changelog entries of the above versions.

Comment 9 Michael Andres 2019-12-11 10:44:17 UTC

JFYI: running maintenance incidents:
Request: #207477 Devel:zypp:SLE12SP1/libzypp
Request: #207475 Devel:zypp:SLE12SP2/libzypp
Request: #207476 Devel:zypp:SLE12SP3/libzypp
Request: #207478 Devel:zypp:SLE15/libzypp
Request: #207479 Devel:zypp:SLE15SP1/libzypp

Also submitted to SUSE:SLE-15-SP2:GA and openSUSE:Factory

Comment 11 Swamp Workflow Management 2020-01-07 17:14:32 UTC

SUSE-SU-2020:0023-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1158763
CVE References: CVE-2019-18900
Sources used:
SUSE CaaS Platform 3.0 (src):    libzypp-16.21.2-27.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2020-01-13 14:11:37 UTC

SUSE-SU-2020:0079-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1158763
CVE References: CVE-2019-18900
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server 12-SP5 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server 12-SP4 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libzypp-16.21.2-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2020-01-13 17:14:49 UTC

SUSE-SU-2020:0087-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763
CVE References: CVE-2019-18900
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libsolv-0.7.10-3.22.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libsolv-0.7.10-3.22.1, libzypp-17.19.0-3.34.1, zypper-1.14.33-3.29.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    libsolv-0.7.10-3.22.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libsolv-0.7.10-3.22.1, libzypp-17.19.0-3.34.1, zypper-1.14.33-3.29.1
SUSE Linux Enterprise Installer 15 (src):    libsolv-0.7.10-3.22.1, libzypp-17.19.0-3.34.1, zypper-1.14.33-3.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Michael Andres 2020-02-07 07:22:41 UTC

closing

Comment 15 Michael Andres 2020-02-07 07:23:01 UTC

closing

Comment 16 Swamp Workflow Management 2020-02-21 17:15:57 UTC

SUSE-SU-2020:0432-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763
CVE References: CVE-2019-18900
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    libsolv-0.7.10-3.13.4
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libsolv-0.7.10-3.13.4, libzypp-17.19.0-3.14.5, zypper-1.14.33-3.13.5
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    libsolv-0.7.10-3.13.4
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libsolv-0.7.10-3.13.4, libzypp-17.19.0-3.14.5, zypper-1.14.33-3.13.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-02-27 17:56:07 UTC

openSUSE-SU-2020:0255-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763
CVE References: CVE-2019-18900
Sources used:
openSUSE Leap 15.1 (src):    libsolv-0.7.10-lp151.2.10.1, libzypp-17.19.0-lp151.2.10.1, zypper-1.14.33-lp151.2.10.1

Comment 18 Swamp Workflow Management 2020-09-16 19:14:54 UTC

SUSE-SU-2020:0079-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1158763
CVE References: CVE-2019-18900
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libzypp-16.21.2-2.45.1
SUSE OpenStack Cloud Crowbar 8 (src):    libzypp-16.21.2-2.45.1
SUSE OpenStack Cloud 9 (src):    libzypp-16.21.2-2.45.1
SUSE OpenStack Cloud 8 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libzypp-16.21.2-2.45.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libzypp-16.21.2-2.45.1
SUSE Enterprise Storage 5 (src):    libzypp-16.21.2-2.45.1
HPE Helion Openstack 8 (src):    libzypp-16.21.2-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2020-11-19 08:15:50 UTC

SUSE-SU-2020:3367-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1158763,1169947,1178038
CVE References: CVE-2019-18900
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    libzypp-16.21.2-27.70.1, zypper-1.13.57-18.46.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libzypp-16.21.2-27.70.1, zypper-1.13.57-18.46.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libzypp-16.21.2-27.70.1, zypper-1.13.57-18.46.3
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libzypp-16.21.2-27.70.1, zypper-1.13.57-18.46.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Michael Andres 2023-08-24 10:20:43 UTC

@Gianluca, now I see where the reference comes from:

It's actually no change or bugfix in the production code. We cherry-picked fixes done to our default mediabackend for the ZYPP_MEDIANETWORK techpreview. We kept the original commit messages referencing bugzilla or other issues in order to document in the new code why these changes/fixes were introduced.

Our submission scripts however pick all commit messages referencing issues into the changes files so they don't get lost. 

When reviewing the changes file, I overlooked that this line refers to an old and fixed bug. It should not have appeared in the changes. It's no bugfix, it just kind of documents that the original fix will be present in the new backend as well.

I'd rather remove the reference from the changes file?

Comment 25 Michael Andres 2023-08-24 14:51:28 UTC

JFYI: The faulty changes line is removed in libzypp-17.31.20.

Resubmitted:
MR#306200: Devel:zypp:SLE15SP1 - libzypp zypper -> SUSE:SLE-15-SP1:Update
MR#306202: Devel:zypp:SLE15SP2 - libzypp zypper -> SUSE:SLE-15-SP2:Update
MR#306203: Devel:zypp:SLE15SP4 - libzypp zypper -> SUSE:SLE-15-SP4:Update
They should no longer reference this bug.

Comment 26 Maintenance Automation 2023-09-01 16:30:02 UTC

SUSE-RU-2023:3515-1: An update that has five recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1158763, 1210740, 1213231, 1213557, 1213673
Sources used:
SUSE Linux Enterprise Server 15 SP2 (src): libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Server 15 SP3 (src): libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Real Time 15 SP3 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Manager Proxy 4.2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Manager Retail Branch Server 4.2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Manager Server 4.2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Enterprise Storage 7.1 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Micro 5.1 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Micro 5.2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): zypper-1.14.63-150200.59.1, libzypp-17.31.20-150200.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Maintenance Automation 2023-09-01 16:30:06 UTC

SUSE-RU-2023:3514-1: An update that has five recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1158763, 1210740, 1213231, 1213557, 1213673
Sources used:
openSUSE Leap 15.4 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
openSUSE Leap 15.5 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
SUSE Linux Enterprise High Performance Computing 15 SP4 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Server 15 SP4 (src): libzypp-17.31.20-150400.3.40.1
SUSE Manager Server 4.3 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Desktop 15 SP4 (src): libzypp-17.31.20-150400.3.40.1
SUSE Manager Retail Branch Server 4.3 (src): libzypp-17.31.20-150400.3.40.1
SUSE Manager Proxy 4.3 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise High Performance Computing 15 SP5 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Server 15 SP5 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Desktop 15 SP5 (src): libzypp-17.31.20-150400.3.40.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
SUSE Linux Enterprise Micro 5.3 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
SUSE Linux Enterprise Micro 5.4 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
Basesystem Module 15-SP4 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1
Basesystem Module 15-SP5 (src): libzypp-17.31.20-150400.3.40.1, zypper-1.14.63-150400.3.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Maintenance Automation 2023-09-01 16:30:09 UTC

SUSE-RU-2023:3513-1: An update that has five recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1158763, 1210740, 1213231, 1213557, 1213673
Sources used:
SUSE Linux Enterprise Server 15 SP1 (src): libzypp-17.31.20-150100.3.117.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): libzypp-17.31.20-150100.3.117.1, zypper-1.14.63-150100.3.84.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): libzypp-17.31.20-150100.3.117.1, zypper-1.14.63-150100.3.84.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): libzypp-17.31.20-150100.3.117.1, zypper-1.14.63-150100.3.84.1
SUSE CaaS Platform 4.0 (src): libzypp-17.31.20-150100.3.117.1, zypper-1.14.63-150100.3.84.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Marcus Meissner 2024-04-15 14:59:18 UTC

released