From e721bc775d9270ac8d9d8daf2fe3f83bffe5d761 Mon Sep 17 00:00:00 2001
From: Jakub Filak <jfilak@redhat.com>
Date: Wed, 30 Sep 2015 11:50:18 +0200
Subject: [PATCH] a-a-i-d-to-abrt-cache: make own random temporary directory
The set-user-ID wrapper must use own new temporary directory in order to
avoid security issues with unpacking specially crafted debuginfo
packages that might be used to create files or symlinks anywhere on the
file system as the abrt user.
Withot the forking code the temporary directory would remain on the
filesystem in the case where all debuginfo data are already available.
This is caused by the fact that the underlying libreport functionality
accepts path to a desired temporary directory and creates it only if
necessary. Otherwise, the directory is not touched at all.
This commit addresses CVE-2015-5273
Related: #1262252
Signed-off-by: Jakub Filak <jfilak@redhat.com>
---
src/plugins/Makefile.am | 1 +
.../abrt-action-install-debuginfo-to-abrt-cache.c | 41 +++++++++++++++++++---
2 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am
index 326bb6e..6dde4b7 100644
--- a/src/plugins/Makefile.am
+++ b/src/plugins/Makefile.am
@@ -261,6 +261,7 @@ abrt_action_install_debuginfo_to_abrt_cache_CPPFLAGS = \
-D_GNU_SOURCE \
-DBIN_DIR=\"$(bindir)\" \
-DSBIN_DIR=\"$(sbindir)\" \
+ -DLARGE_DATA_TMP_DIR=\"$(LARGE_DATA_TMP_DIR)\" \
$(LIBREPORT_CFLAGS) \
-Wall -Wwrite-strings \
-fPIE
diff --git a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
index 81b1486..52d00de 100644
--- a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
+++ b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
@@ -108,8 +108,14 @@ int main(int argc, char **argv)
build_ids_self_fd = xasprintf("/proc/self/fd/%d", build_ids_fd);
}
- /* name, -v, --ids, -, -y, -e, EXACT, -r, REPO, --, NULL */
- const char *args[11];
+ char tmp_directory[] = LARGE_DATA_TMP_DIR"/abrt-tmp-debuginfo.XXXXXX";
+ if (mkdtemp(tmp_directory) == NULL)
+ perror_msg_and_die("Failed to create working directory");
+
+ log_info("Created working directory: %s", tmp_directory);
+
+ /* name, -v, --ids, -, -y, -e, EXACT, -r, REPO, -t, PATH, --, NULL */
+ const char *args[13];
{
const char *verbs[] = { "", "-v", "-vv", "-vvv" };
unsigned i = 0;
@@ -130,6 +136,8 @@ int main(int argc, char **argv)
args[i++] = "--repo";
args[i++] = repo;
}
+ args[i++] = "--tmpdir";
+ args[i++] = tmp_directory;
args[i++] = "--";
args[i] = NULL;
}
@@ -204,6 +212,31 @@ int main(int argc, char **argv)
umask(0022);
}
- execvp(EXECUTABLE, (char **)args);
- error_msg_and_die("Can't execute %s", EXECUTABLE);
+ pid_t pid = fork();
+ if (pid < 0)
+ perror_msg_and_die("fork");
+
+ if (pid == 0)
+ {
+ execvp(EXECUTABLE, (char **)args);
+ error_msg_and_die("Can't execute %s", EXECUTABLE);
+ }
+
+ int status;
+ if (safe_waitpid(pid, &status, 0) < 0)
+ perror_msg_and_die("waitpid");
+
+ if (rmdir(tmp_directory) >= 0)
+ log_info("Removed working directory: %s", tmp_directory);
+ else if (errno != ENOENT)
+ perror_msg("Failed to remove working directory");
+
+ /* Normal execution should exit here. */
+ if (WIFEXITED(status))
+ return WEXITSTATUS(status);
+
+ if (WIFSIGNALED(status))
+ error_msg_and_die("Child terminated with signal %d", WTERMSIG(status));
+
+ error_msg_and_die("Child exit failed");
}
--
1.8.3.1