Bug 6523 - abrt possible security issues CVE-2011-4088 and CVE-2012-1106
: abrt possible security issues CVE-2011-4088 and CVE-2012-1106
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/502705/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-20 18:32 CEST by David Walser
Modified: 2012-12-11 22:19 CET (History)
5 users (show)

See Also:
Source RPM: abrt
CVE:


Attachments

Description David Walser 2012-06-20 18:32:17 CEST
RedHat has issued an advisory today (June 20):
https://rhn.redhat.com/errata/RHSA-2012-0841.html

We have these packaged in Mageia 2.  I can't find anything that says which versions of these packages are affected, but most likely ours are affected.
Comment 1 David Walser 2012-11-21 16:28:00 CET
Not 100% sure, but looks like CVE-2011-4088 is probably fixed in abrt 2.0.7 and libreport 2.0.8, so Mageia 2 and Cauldron would be OK.

It looks like CVE-2012-1106 was fixed in abrt 2.0.8 or 2.0.9, so we need to update that.
Comment 2 David Walser 2012-11-21 18:19:36 CET
Patched abrt package uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated abrt packages fix security vulnerability:

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package
installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps
of set user ID (setuid) programs were created with insecure group ID
permissions. This could allow local, unprivileged users to obtain sensitive
information from the core dump files of setuid processes they would
otherwise not be able to access (CVE-2012-1106).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html
========================

Updated packages in core/updates_testing:
========================
abrt-2.0.7-3.1.mga2
libabrt0-2.0.7-3.1.mga2
libabrt-devel-2.0.7-3.1.mga2
abrt-gui-2.0.7-3.1.mga2
abrt-addon-ccpp-2.0.7-3.1.mga2
abrt-addon-kerneloops-2.0.7-3.1.mga2
abrt-addon-vmcore-2.0.7-3.1.mga2
abrt-addon-python-2.0.7-3.1.mga2
abrt-cli-2.0.7-3.1.mga2
abrt-desktop-2.0.7-3.1.mga2

from abrt-2.0.7-3.1.mga2.src.rpm
Comment 3 Dave Hodgins 2012-11-22 03:22:54 CET
Any suggestions for testing this?  I've tried following
http://fedoraproject.org/wiki/QA:Testcase_ABRT_CLI

Using "kill -SIGSEGV $pid", where the pid was a running firefox or kcalc
process, but "abrt-cli list" is not showing any output.
Comment 4 David Walser 2012-11-22 03:27:28 CET
I'm not sure the integration status of abrt in Mageia, but maybe Thierry knows.  He mentioned on the mageia-dev list that he's used it with GNOME apps:
https://www.mageia.org/pipermail/mageia-dev/2012-August/018250.html
Comment 5 Dave Hodgins 2012-11-22 05:02:57 CET
Thanks.  It works with gedit.  I'll look into testing it more tomorrow.

[dave@x2v Documents]$ kill -SIGSEGV 3082
[dave@x2v Documents]$ abrt-cli list
[1]+  Segmentation fault      (core dumped) gedit
Comment 6 Dave Hodgins 2012-11-22 23:14:12 CET
In /etc/sysctl.conf, I've added the line
fs.suid_dumpable=2
and run sysctl -p.

I mistook the seg fault output in Comment 5 as being output from abrt-cli list,
but it isn't.

As far as I can see, the core dump is not being generated, or captured
by abrt. The directory /var/spool/abrt is empty.

The abrt services are all running, so I'm not sure what else is needed,
to activate it, or confirm it's working as it's supposed to.

Any ideas?
Comment 7 David Walser 2012-11-22 23:27:25 CET
I think by default on Mageia, you can't make core files because of the ulimit settings, maybe a ulimit -c <large number> command will allow them to be created.
Comment 8 Dave Hodgins 2012-11-23 04:26:15 CET
/etc/profile.d/00abrt.sh from abrt-addon-ccpp is already running
ulimit -c unlimited
so that's not it.

Do the debug packages have to be installed for abrt to work?
Comment 9 David Walser 2012-11-23 04:42:50 CET
I wouldn't think so.

Thierry, can you give some input here?
Comment 10 claire robinson 2012-11-30 19:33:41 CET
Pinging for feedback please.
Please see comment 6 onwards
Comment 11 Dave Hodgins 2012-12-08 03:35:44 CET
As discussed in yesterdays qa meeting, I can only confirm the abrtd service
starts ok, on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
abrt-2.0.7-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated abrt packages fix security vulnerability:

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package
installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps
of set user ID (setuid) programs were created with insecure group ID
permissions. This could allow local, unprivileged users to obtain sensitive
information from the core dump files of setuid processes they would
otherwise not be able to access (CVE-2012-1106).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html

https://bugs.mageia.org/show_bug.cgi?id=6523
Comment 12 Thomas Backlund 2012-12-11 22:19:35 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0357

Note You need to log in before you can comment on or make changes to this bug.