From d572bdf341bccafe55367335b0fe1c83553e6993 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Wed, 9 Oct 2013 12:08:10 +0100 Subject: [PATCH] fish: CVE-2013-4419: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960). When using the guestfish --remote or guestfish --listen options, guestfish would create a socket in a known location (/tmp/.guestfish-$UID/socket-$PID). The location has to be a known one in order for both ends to communicate. However no checking was done that the containing directory (/tmp/.guestfish-$UID) is owned by the user. Thus another user could create this directory and potentially modify sockets owned by another user's guestfish client or server. This commit fixes the issue by creating the directory unconditionally, and then checking that the directory has the correct owner and permissions, thus preventing another user from creating the directory first. If guestfish sees a suspicious socket directory it will print an error like this and exit with an error status: guestfish: '/tmp/.guestfish-1000' is not a directory or has insecure owner or permissions Thanks: Michael Scherer for discovering this issue. Version 2: - Add assigned CVE number. - Update documentation. Signed-off-by: Richard W.M. Jones --- fish/guestfish.pod | 3 +++ fish/rc.c | 43 +++++++++++++++++++++++++++++++++++++++---- src/guestfs.pod | 17 +++++++++++++++++ 3 files changed, 59 insertions(+), 4 deletions(-) diff --git a/fish/guestfish.pod b/fish/guestfish.pod index 06663ac..2ecc058 100644 --- a/fish/guestfish.pod +++ b/fish/guestfish.pod @@ -1006,6 +1006,9 @@ user ID of the process, and C<$PID> is the process ID of the server. Guestfish client and server versions must match exactly. +Older versions of guestfish were vulnerable to CVE-2013-4419 (see +L). This is fixed in the current version. + =head2 USING REMOTE CONTROL ROBUSTLY FROM SHELL SCRIPTS From Bash, you can use the following code which creates a guestfish diff --git a/fish/rc.c b/fish/rc.c index aa4b849..c736042 100644 --- a/fish/rc.c +++ b/fish/rc.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -38,17 +39,49 @@ #include "fish.h" #include "rc_protocol.h" +/* Because this is a Unix domain socket, the total path length must be + * under 108 bytes. + */ +#define SOCKET_DIR "/tmp/.guestfish-%d" /* euid */ +#define SOCKET_PATH "/tmp/.guestfish-%d/socket-%d" /* euid, pid */ + +static void +create_sockdir (void) +{ + uid_t euid = geteuid (); + char dir[128]; + int r; + struct stat statbuf; + + /* Create the directory, and ensure it is owned by the user. */ + snprintf (dir, sizeof dir, SOCKET_DIR, euid); + r = mkdir (dir, 0700); + if (r == -1 && errno != EEXIST) { + error: + perror (dir); + exit (EXIT_FAILURE); + } + if (lstat (dir, &statbuf) == -1) + goto error; + if (!S_ISDIR (statbuf.st_mode) || + (statbuf.st_mode & 0777) != 0700 || + statbuf.st_uid != euid) { + fprintf (stderr, + _("guestfish: '%s' is not a directory or has insecure owner or permissions\n"), + dir); + exit (EXIT_FAILURE); + } +} + static void create_sockpath (pid_t pid, char *sockpath, size_t len, struct sockaddr_un *addr) { - char dir[128]; uid_t euid = geteuid (); - snprintf (dir, sizeof dir, "/tmp/.guestfish-%d", euid); - ignore_value (mkdir (dir, 0700)); + create_sockdir (); - snprintf (sockpath, len, "/tmp/.guestfish-%d/socket-%d", euid, pid); + snprintf (sockpath, len, SOCKET_PATH, euid, pid); addr->sun_family = AF_UNIX; strcpy (addr->sun_path, sockpath); @@ -196,6 +229,8 @@ rc_listen (void) memset (&hello, 0, sizeof hello); memset (&call, 0, sizeof call); + create_sockdir (); + pid = fork (); if (pid == -1) { perror ("fork"); diff --git a/src/guestfs.pod b/src/guestfs.pod index 0c57f50..eedea94 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -1998,6 +1998,23 @@ double-free in the C library (denial of service). It is sufficient to update libguestfs to a version that is not vulnerable: libguestfs E 1.20.8, E 1.22.2 or E 1.23.2. +=head2 CVE-2013-4419 + +L + +When using the L I<--remote> or guestfish I<--listen> +options, guestfish would create a socket in a known location +(C). + +The location has to be a known one in order for both ends to +communicate. However no checking was done that the containing +directory (C) is owned by the user. Thus +another user could create this directory and potentially hijack +sockets owned by another user's guestfish client or server. + +It is sufficient to update libguestfs to a version that is not +vulnerable: libguestfs E 1.20.12, E 1.22.7 or E 1.24. + =head1 CONNECTION MANAGEMENT =head2 guestfs_h * -- 1.8.3.1