Bug 6523

Summary: abrt possible security issues CVE-2011-4088 and CVE-2012-1106
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, oe, sysadmin-bugs, thierry.vignaud, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/502705/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: abrt CVE:
Status comment:

Description David Walser 2012-06-20 18:32:17 CEST 
RedHat has issued an advisory today (June 20):
https://rhn.redhat.com/errata/RHSA-2012-0841.html

We have these packaged in Mageia 2.  I can't find anything that says which versions of these packages are affected, but most likely ours are affected.
David Walser 2012-06-20 18:32:26 CEST

Whiteboard: (none) => MGA2TOO

David Walser 2012-08-27 02:17:15 CEST

CC: (none) => thierry.vignaud

David Walser 2012-10-10 00:47:52 CEST

CC: (none) => oe

David Walser 2012-11-20 16:40:01 CET

Severity: normal => major

Comment 1 David Walser 2012-11-21 16:28:00 CET 
Not 100% sure, but looks like CVE-2011-4088 is probably fixed in abrt 2.0.7 and libreport 2.0.8, so Mageia 2 and Cauldron would be OK.

It looks like CVE-2012-1106 was fixed in abrt 2.0.8 or 2.0.9, so we need to update that.
Comment 2 David Walser 2012-11-21 18:19:36 CET 
Patched abrt package uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated abrt packages fix security vulnerability:

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package
installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps
of set user ID (setuid) programs were created with insecure group ID
permissions. This could allow local, unprivileged users to obtain sensitive
information from the core dump files of setuid processes they would
otherwise not be able to access (CVE-2012-1106).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html
========================

Updated packages in core/updates_testing:
========================
abrt-2.0.7-3.1.mga2
libabrt0-2.0.7-3.1.mga2
libabrt-devel-2.0.7-3.1.mga2
abrt-gui-2.0.7-3.1.mga2
abrt-addon-ccpp-2.0.7-3.1.mga2
abrt-addon-kerneloops-2.0.7-3.1.mga2
abrt-addon-vmcore-2.0.7-3.1.mga2
abrt-addon-python-2.0.7-3.1.mga2
abrt-cli-2.0.7-3.1.mga2
abrt-desktop-2.0.7-3.1.mga2

from abrt-2.0.7-3.1.mga2.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/502705/
Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Source RPM: abrt, libreport, btparser => abrt
Whiteboard: MGA2TOO => (none)
Severity: major => normal

Comment 3 Dave Hodgins 2012-11-22 03:22:54 CET 
Any suggestions for testing this?  I've tried following
http://fedoraproject.org/wiki/QA:Testcase_ABRT_CLI

Using "kill -SIGSEGV $pid", where the pid was a running firefox or kcalc
process, but "abrt-cli list" is not showing any output.

CC: (none) => davidwhodgins

Comment 4 David Walser 2012-11-22 03:27:28 CET 
I'm not sure the integration status of abrt in Mageia, but maybe Thierry knows.  He mentioned on the mageia-dev list that he's used it with GNOME apps:
https://www.mageia.org/pipermail/mageia-dev/2012-August/018250.html
Comment 5 Dave Hodgins 2012-11-22 05:02:57 CET 
Thanks.  It works with gedit.  I'll look into testing it more tomorrow.

[dave@x2v Documents]$ kill -SIGSEGV 3082
[dave@x2v Documents]$ abrt-cli list
[1]+  Segmentation fault      (core dumped) gedit
Comment 6 Dave Hodgins 2012-11-22 23:14:12 CET 
In /etc/sysctl.conf, I've added the line
fs.suid_dumpable=2
and run sysctl -p.

I mistook the seg fault output in Comment 5 as being output from abrt-cli list,
but it isn't.

As far as I can see, the core dump is not being generated, or captured
by abrt. The directory /var/spool/abrt is empty.

The abrt services are all running, so I'm not sure what else is needed,
to activate it, or confirm it's working as it's supposed to.

Any ideas?

Whiteboard: (none) => feedback

Comment 7 David Walser 2012-11-22 23:27:25 CET 
I think by default on Mageia, you can't make core files because of the ulimit settings, maybe a ulimit -c <large number> command will allow them to be created.
Comment 8 Dave Hodgins 2012-11-23 04:26:15 CET 
/etc/profile.d/00abrt.sh from abrt-addon-ccpp is already running
ulimit -c unlimited
so that's not it.

Do the debug packages have to be installed for abrt to work?
Comment 9 David Walser 2012-11-23 04:42:50 CET 
I wouldn't think so.

Thierry, can you give some input here?
Comment 10 claire robinson 2012-11-30 19:33:41 CET 
Pinging for feedback please.
Please see comment 6 onwards
Comment 11 Dave Hodgins 2012-12-08 03:35:44 CET 
As discussed in yesterdays qa meeting, I can only confirm the abrtd service
starts ok, on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
abrt-2.0.7-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated abrt packages fix security vulnerability:

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package
installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps
of set user ID (setuid) programs were created with insecure group ID
permissions. This could allow local, unprivileged users to obtain sensitive
information from the core dump files of setuid processes they would
otherwise not be able to access (CVE-2012-1106).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html

https://bugs.mageia.org/show_bug.cgi?id=6523

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: feedback => MGA2-64-OK MGA2-32-OK

Comment 12 Thomas Backlund 2012-12-11 22:19:35 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0357

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED