Bug 1131954 - (CVE-2019-3684) VUL-0: CVE-2019-3684: susemanager: installer creates world-readable swap files
(CVE-2019-3684)
VUL-0: CVE-2019-3684: susemanager: installer creates world-readable swap files
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Julio González Gil
Security Team bot
reproducer:c0
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-09 09:30 UTC by Malte Kraus
Modified: 2019-07-29 14:37 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
jgonzalez: needinfo? (matthias.gerstner)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Malte Kraus 2019-04-09 09:30:31 UTC
When the setup routine for SUSE Manager detects that the system has no swap, it creates a swap file with insecure permissions. The setup itself was already fixed for the upcoming SUSE Manager 4 [1]. But current versions still create these swap files with insecure permissions and any systems where this setup has run still have wrong permissions on /SWAPFILE.

1: https://github.com/uyuni-project/uyuni/pull/562/commits/1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade
Comment 1 Johannes Segitz 2019-04-09 09:43:38 UTC
this is CVE-2019-3684
Comment 2 Ruediger Oertel 2019-04-09 23:00:00 UTC
I don't have the slightest idea why this bug ends up with me ...
Comment 3 Malte Kraus 2019-04-10 08:40:50 UTC
Maybe I'm doing something stupid there, Rüdiger, but 'ibs maintainer SUSE:SLE-12-SP3:Update:Products:Manager32:Update/susemanager' gives me (only) your name.
Comment 4 Julio González Gil 2019-04-10 09:42:23 UTC
This is correctly assigned to SUSE Manager, and since I fixed for 4.0 (well, for new installations), I am the right assignee.
Comment 5 Julio González Gil 2019-05-13 12:35:57 UTC
Fix for Uyuni (and SUSE Manager) 4.0: https://github.com/uyuni-project/uyuni/pull/965

As soon as it's approved and merged, I will port back to 3.2
Comment 6 Julio González Gil 2019-05-13 13:52:50 UTC
SUSE Manager 3.2: https://github.com/SUSE/spacewalk/pull/7802
SUSE Manager 3.1: https://github.com/SUSE/spacewalk/pull/7801
Comment 7 Julio González Gil 2019-05-13 14:04:06 UTC
Sorry, SUSE Manager 3.1 is  https://github.com/SUSE/spacewalk/pull/7803
Comment 8 Julio González Gil 2019-05-13 15:07:18 UTC
All PRs merged.

@Security, what' the procedure? I guess closing the issue is on your side, right?
Comment 13 Swamp Workflow Management 2019-06-25 16:22:04 UTC
SUSE-RU-2019:1706-1: An update that has 30 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1102819,1117017,1121439,1122680,1123375,1125015,1125090,1128061,1128838,1129079,1130492,1130551,1130784,1131408,1131423,1131704,1131780,1131867,1131929,1131954,1132080,1132103,1132197,1133424,1133523,1133587,1133629,1134195,1134876,1135166
CVE References: 
Sources used:
SUSE Manager Server 3.2 (src):    release-notes-susemanager-3.2.8-6.32.1
SUSE Manager Proxy 3.2 (src):    release-notes-susemanager-proxy-3.2.8-0.16.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-06-25 16:33:30 UTC
SUSE-RU-2019:1703-1: An update that solves one vulnerability and has 24 fixes is now available.

Category: recommended (moderate)
Bug References: 1117017,1125090,1128061,1128838,1129079,1130492,1130551,1131408,1131423,1131704,1131780,1131867,1131929,1131954,1132080,1132103,1132197,1133424,1133587,1133629,1134195,1134876,1135166,1136029,1136423
CVE References: CVE-2019-3684
Sources used:
SUSE Manager Server 3.2 (src):    cobbler-2.6.6-6.19.1, py26-compat-salt-2016.11.10-6.26.1, salt-netapi-client-0.16.0-4.11.1, spacewalk-backend-2.8.57.16-3.30.1, spacewalk-certs-tools-2.8.8.10-3.11.1, spacewalk-config-2.8.5.7-3.16.1, spacewalk-java-2.8.78.22-3.32.1, spacewalk-web-2.8.7.16-3.27.1, susemanager-3.2.18-3.25.2, susemanager-docs_en-3.2-11.26.1, susemanager-schema-3.2.19-3.25.1, susemanager-sls-3.2.25-3.29.1, susemanager-sync-data-3.2.15-3.23.1
SUSE Manager Proxy 3.2 (src):    rhncfg-5.10.122.3-3.3.1, spacewalk-backend-2.8.57.16-3.30.1, spacewalk-certs-tools-2.8.8.10-3.11.1, spacewalk-proxy-2.8.5.5-3.6.2, spacewalk-proxy-installer-2.8.6.6-3.12.1, spacewalk-web-2.8.7.16-3.27.1, zypp-plugin-spacewalk-1.0.5-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-06-25 16:36:42 UTC
SUSE-SU-2019:1703-1: An update that solves one vulnerability and has 24 fixes is now available.

Category: security (moderate)
Bug References: 1117017,1125090,1128061,1128838,1129079,1130492,1130551,1131423,1131704,1131780,1131867,1131929,1131954,1132103,1132197,1133424,1133587,1133629,1134195,1134876,1135166,1136029,1136102,1136250,1136423
CVE References: CVE-2019-3684
Sources used:
SUSE Manager Server 3.2 (src):    cobbler-2.6.6-6.19.1, py26-compat-salt-2016.11.10-6.26.1, salt-netapi-client-0.16.0-4.11.1, spacewalk-backend-2.8.57.16-3.30.1, spacewalk-certs-tools-2.8.8.10-3.11.1, spacewalk-config-2.8.5.7-3.16.1, spacewalk-java-2.8.78.22-3.32.1, spacewalk-web-2.8.7.16-3.27.1, susemanager-3.2.18-3.25.2, susemanager-docs_en-3.2-11.26.1, susemanager-schema-3.2.19-3.25.1, susemanager-sls-3.2.25-3.29.1, susemanager-sync-data-3.2.15-3.23.1
SUSE Manager Proxy 3.2 (src):    rhncfg-5.10.122.3-3.3.1, spacewalk-backend-2.8.57.16-3.30.1, spacewalk-certs-tools-2.8.8.10-3.11.1, spacewalk-proxy-2.8.5.5-3.6.2, spacewalk-proxy-installer-2.8.6.6-3.12.1, spacewalk-web-2.8.7.16-3.27.1, zypp-plugin-spacewalk-1.0.5-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Julio González Gil 2019-07-29 07:31:54 UTC
I guess this can be closed already?

- 3.1: Despite I merged the PR, EoL was near and it came before we did another MU.
- 3.2: released
- 4.0: Fix was part of GM.
Comment 17 Alexandros Toptsoglou 2019-07-29 09:31:40 UTC
done