Date: Tue, 05 May 2015 14:17:32 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Problems in automatic crash analysis frameworks On 04/23/2015 09:10 PM, Florian Weimer wrote: > On 04/17/2015 09:16 PM, Florian Weimer wrote: >> A quick update on the abrt situation. > > Another update. We now have a public tracking bug listing the issues: > > <https://bugzilla.redhat.com/show_bug.cgi?id=1214172> We have identified one more issue: abrt-action-install-debuginfo-to-abrt-cache is a SUID wrapper which incorrectly filters the process environment (umask and truncated command line arguments such as “--ca“) before invoking the actual program. This allows a local attacker to create a world-writable problem directory and eventually escalate their privileges to root. (Other attacks against the cpio extraction might be feasible.) CVE-2015-3159 <https://bugzilla.redhat.com/show_bug.cgi?id=1216962> Jakub Filak has created several pull requests fixing all the issues identified so far: <https://github.com/abrt/abrt/pull/950> <https://github.com/abrt/abrt/pull/955> <https://github.com/abrt/libreport/pull/346> There is a public build (against EPEL7) of the consolidated fixes, available as a Copr repository: <http://copr.fedoraproject.org/coprs/jfilak/abrt-hardened/> This also includes the consolidated fixes. At this stage, we'd appreciate additional comments/reviews. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.