Bug 958347 - (CVE-2015-7543) VUL-0: CVE-2015-7543: arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
(CVE-2015-7543)
VUL-0: CVE-2015-7543: arts,kdelibs3: Use of mktemp(3) allows attacker to hija...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/159467/
CVSSv2:RedHat:CVE-2015-7543:4.9:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-08 13:02 UTC by Marcus Meissner
Modified: 2021-06-17 08:58 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
corrected patch (1.46 KB, text/x-diff)
2020-06-03 10:48 UTC, Matthias Gerstner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-12-08 13:02:32 UTC
quoting from redhat bug rh#1280543

aRts and kdelibs3 each use their own copy of the same "lnusertemp" code to create a user-specific socket directory for IPC.  If the usual location, which is well-known, is unavailable, a random directory name is created with mktemp(3).  A malicious process could therefore create the well-known location to force the race condition inherit in mktemp(3), and then potentially beat it in order to hijack the IPC of aRts and/or KDE.

Version-Release number of selected component (if applicable):
arts-1.5.10-26.fc22.x86_64
kdelibs3-3.5.10-68.fc22.x86_64
(I believe all versions of Fedora are affected, as well as RHEL 5 and 6)

Steps to Reproduce:
(Warning: Do NOT try this during a KDE session!)
0. KSOCKETDIR=/tmp/ksocket-`id -un`
1. rm -f ~/.kde/socket-$HOSTNAME # (not strictly necessary but does cause this to be logged with 'artsd -l 0')
2. rm -fr $KSOCKETDIR && touch $KSOCKETDIR
OR: su -c "mkdir -m 0700 $KSOCKETDIR" [OTHER_USER]
3. artsd -l 0 -a alsa
OR: kdeinit
OR: lnusertemp socket

Actual results:
A ${KSOCKETDIR}XXXXXX directory is created by mktemp(3), with all the usual implications, then symlinked to ~/.kde/socket-$HOSTNAME.

Expected results:
mkdtemp(3) should be used to create the fallback socket directory instead of mktemp(3).

Additional info:
This was fixed upstream in commit cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 (together with a bunch of unrelated changes) during the Qt3->4 porting phase, so kdelibs-4.x should never have been affected by itself.  However, if the socket directory is created first by aRts or KDE3, as long as it exists it would also be used by KDE4 processes.

The relevant part of said commit should backport easily to both arts (mcop/mcoputils.cc) and kdelibs3 (kinit/lnusertemp.c):

https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1280543
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7543
Comment 1 Swamp Workflow Management 2015-12-08 23:00:46 UTC
bugbot adjusting priority
Comment 3 Qiang Zheng 2018-09-12 10:20:12 UTC
Can not find the backport of arts (mcop/mcoputils.cc), could you please help find it.
Comment 5 Qiang Zheng 2018-09-19 09:43:56 UTC
Hi meissner,
aRts is no longer under development and I can not find its upstream, do you know where it is?
Comment 7 Swamp Workflow Management 2018-10-26 16:13:27 UTC
SUSE-SU-2018:3487-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 958347
CVE References: CVE-2015-7543
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kdelibs3-3.5.10-23.30.5.1
SUSE Linux Enterprise Server 11-SP4 (src):    kdelibs3-3.5.10-23.30.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kdelibs3-3.5.10-23.30.5.1
Comment 11 QK ZHU 2020-05-07 09:06:33 UTC
arts fix for SLE10

The target project SUSE:SLE-10-SP2:Update:Test is not accepting requests, so I submitted against SUSE:SLE-10-SP4:Update:Test:
- https://build.suse.de/request/show/217595
Comment 16 Swamp Workflow Management 2020-05-29 13:40:45 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2020-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64462
Comment 17 Swamp Workflow Management 2020-05-29 13:43:16 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2020-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64464
Comment 18 QK ZHU 2020-06-03 02:09:13 UTC
Hi security team,

The patch for arts was rebased to SUSE:SLE-11:Update:
- https://build.suse.de/request/show/217598
However, the maintenance team has concerns about the patch and declined it.

Could you give me some suggestions that how should we proceed with sr?
Comment 19 Marcus Meissner 2020-06-03 09:01:24 UTC
(it was the autobuild team, and yes the pathc looks weird.)

Security will take a look and help.
Comment 20 Matthias Gerstner 2020-06-03 10:48:18 UTC
Created attachment 838454 [details]
corrected patch
Comment 21 Matthias Gerstner 2020-06-03 10:49:59 UTC
In attachment 838454 [details] you can find a cleaned up patch to use for the update.
To my understanding apart from the cosmetics the original patch was
technically also correct.
Comment 22 QK ZHU 2020-06-04 03:54:58 UTC
(In reply to Matthias Gerstner from comment #20)
> Created attachment 838454 [details]
> corrected patch
Updated the patch and resubmitted

- arts fix for SUSE:SLE-10-SP3:Update:Test
  https://build.suse.de/request/show/219504
- arts fix for SUSE:SLE-11:Update
  https://build.suse.de/request/show/219503
- kdelibs3 fix for SUSE:SLE-10-SP3:Update:Test 
  https://build.suse.de/request/show/219505
Comment 24 Swamp Workflow Management 2020-06-22 16:12:17 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2020-07-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64469
Comment 25 QK ZHU 2020-07-22 01:54:42 UTC
request accepted.
Comment 26 Alexandros Toptsoglou 2020-07-23 06:44:16 UTC
Done