1213526 – AUDIT-FIND: nqptp: world-writable SHM in /dev/shm/nqptp

Bug 1213526 - AUDIT-FIND: nqptp: world-writable SHM in /dev/shm/nqptp

Summary: AUDIT-FIND: nqptp: world-writable SHM in /dev/shm/nqptp

Status:	IN_PROGRESS

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Martin Pluskal
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:	1212951
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2023-07-20 16:03 UTC by Wolfgang Frisch
Modified:	2023-10-12 12:22 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2023-07-20 16:03:49 UTC

+++ This bug was initially created as a clone of Bug #1212951 +++

nqptp is designed to interoperate with other programs via a POSIX shared
memory object in `/dev/shm/nqptp`. nqptp runs as root and creates this SHM object with world-writable permissions, allowing any unprivileged user to corrupt it.

Comment 1 Wolfgang Frisch 2023-07-20 16:13:48 UTC

Forwarded to upstream

Comment 2 Wolfgang Frisch 2023-09-04 08:48:40 UTC

2023-09-01: Upstreamed confirmed they're working on this.

Comment 3 Wolfgang Frisch 2023-09-21 11:02:29 UTC

Addressed by upstream:
https://github.com/mikebrady/nqptp/releases/tag/1.2.4