File bug-1007433_pacemaker-libcrmcommon-CVE-2016-703... of Package pacemaker

Overview Repositories Revisions Requests Users Attributes Meta

File bug-1007433_pacemaker-libcrmcommon-CVE-2016-7035-improper-IPC-guarding.patch of Package pacemaker

commit 5d71e65049d143435b03d6b3709d82900f32276f
Author: Jan Pokorný <jpokorny@redhat.com>
Date:   Thu Nov 3 14:43:10 2016 +0100

High: libcrmcommon: fix CVE-2016-7035 (improper IPC guarding)
    
    It was discovered that at some not so uncommon circumstances, some
    pacemaker daemons could be talked to, via libqb-facilitated IPC, by
    unprivileged clients due to flawed authorization decision.  Depending
    on the capabilities of affected daemons, this might equip unauthorized
    user with local privilege escalation or up to cluster-wide remote
    execution of possibly arbitrary commands when such user happens to
    reside at standard or remote/guest cluster node, respectively.
    
    The original vulnerability was introduced in an attempt to allow
    unprivileged IPC clients to clean up the file system materialized
    leftovers in case the server (otherwise responsible for the lifecycle
    of these files) crashes.  While the intended part of such behavior is
    now effectively voided (along with the unintended one), a best-effort
    fix to address this corner case systemically at libqb is coming along
    (https://github.com/ClusterLabs/libqb/pull/231).
    
    Affected versions:  1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
    Impact:             Important
    CVSSv3 ranking:     8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    
    Credits for independent findings, in chronological order:
      Jan "poki" Pokorný, of Red Hat
      Alain Moulle, of ATOS/BULL

diff --git a/lib/common/ipc.c b/lib/common/ipc.c
index f060fcd..2949837 100644
--- a/lib/common/ipc.c
+++ b/lib/common/ipc.c
@@ -293,7 +293,6 @@ crm_client_disconnect_all(qb_ipcs_service_t *service)
 crm_client_t *
 crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
 {
-    static uid_t uid_server = 0;
     static gid_t gid_cluster = 0;
 
     crm_client_t *client = NULL;
@@ -304,7 +303,6 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
     }
 
     if (gid_cluster == 0) {
-        uid_server = getuid();
         if(crm_user_lookup(CRM_DAEMON_USER, NULL, &gid_cluster) < 0) {
             static bool have_error = FALSE;
             if(have_error == FALSE) {
@@ -314,16 +312,10 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
         }
     }
 
-    if(gid_cluster != 0 && gid_client != 0) {
-        uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
-
-        if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
-            best_uid = QB_MAX(uid_client, uid_server);
-            crm_trace("Allowing user %u to clean up after disconnect", best_uid);
-        }
-
+    if (uid_client != 0) {
         crm_trace("Giving access to group %u", gid_cluster);
-        qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+        /* Passing -1 to chown(2) means don't change */
+        qb_ipcs_connection_auth_set(c, -1, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
     }
 
     crm_client_init();

Places

File bug-1007433_pacemaker-libcrmcommon-CVE-2016-7035-improper-IPC-guarding.patch of Package pacemaker

Places