Bug 1196446 (CVE-2022-21945) - VUL-0: CVE-2022-21945: cscreen: usage of fixed path /tmp/cscreen.debug
Summary: VUL-0: CVE-2022-21945: cscreen: usage of fixed path /tmp/cscreen.debug
Status: RESOLVED FIXED
Alias: CVE-2022-21945
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Olaf Hering
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 1196140
  Show dependency treegraph
 
Reported: 2022-02-24 14:04 UTC by Matthias Gerstner
Modified: 2022-03-11 10:16 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
bug1196446.patch (1.88 KB, text/plain)
2022-02-25 16:01 UTC, Olaf Hering 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2022-02-24 14:04:22 UTC 
+++ This bug was initially created as a clone of Bug #1196140

The cscreen package uses a fixed path /tmp/cscreen.debug in the script
/usr/bin/cscreen_update_config.sh:

```
function add_window()
{
    <...snip...>
    echo $_host >> /tmp/cscreen.debug
    echo $_status >> /tmp/cscreen.debug
    if [ -n "$_status" ];then
        echo "screen -x $session -X $_status" >> /tmp/cscreen.debug
        screen -x $session -X defhstatus "$_status" >>/tmp/cscreen.debug 2>&1
    fi
    echo "Add Window $TITLE: screen -x $session -X $COMMAND" >>/tmp/cscreen.debug
    <...snip...>
}
```

Luckily no one seems to be reading from there anymore.

Without symlink protection this could be a local DoS vector against the system.
By placing a FIFO in this location it could be a dedicated DoS and information
leak against the update script.

Please change the script either to drop this debug file by default, by using
an unpredictable temporary file name, or by using a safe location for the file
that is not accessible by every user in the system.
Comment 1 Olaf Hering 2022-02-25 12:19:51 UTC 
This script is called by orthos.
When do we intend to lift the embargo? I changed the location to /run/cscreen/
Comment 2 Matthias Gerstner 2022-02-25 14:47:25 UTC 
(In reply to Olaf Hering from comment #1)
> This script is called by orthos.
> When do we intend to lift the embargo? I changed the location to
> /run/cscreen/

It's up to us. I suggest when you have solutions ready for both issues then we can publish it.
Comment 3 Olaf Hering 2022-02-25 16:01:31 UTC 
Created attachment 856583 [details]
bug1196446.patch

I think this change will fix the issue.
Comment 4 Matthias Gerstner 2022-02-28 12:39:31 UTC 
(In reply to ohering@suse.com from comment #3)
> Created attachment 856583 [details]
> bug1196446.patch
> 
> I think this change will fix the issue.

Yes, using the dedicated /run/ directory is good. I'm not quite sure about the
kind of debug output generated by these commands, could it be prudent to
protect the debug file from world and only allow e.g. members of the same
_cscreen group to read them?
Comment 5 Olaf Hering 2022-02-28 12:49:24 UTC 
yeah, I already planned to adjust the mask in tmpfile.conf.
Comment 7 Johannes Segitz 2022-03-09 10:16:22 UTC 
Please use CVE-2022-21945 for this. For the other issue I'm still a bit torn and need to think about it more