Bugzilla – Bug 958347
VUL-0: CVE-2015-7543: arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
Last modified: 2021-06-17 08:58:50 UTC
quoting from redhat bug rh#1280543 aRts and kdelibs3 each use their own copy of the same "lnusertemp" code to create a user-specific socket directory for IPC. If the usual location, which is well-known, is unavailable, a random directory name is created with mktemp(3). A malicious process could therefore create the well-known location to force the race condition inherit in mktemp(3), and then potentially beat it in order to hijack the IPC of aRts and/or KDE. Version-Release number of selected component (if applicable): arts-1.5.10-26.fc22.x86_64 kdelibs3-3.5.10-68.fc22.x86_64 (I believe all versions of Fedora are affected, as well as RHEL 5 and 6) Steps to Reproduce: (Warning: Do NOT try this during a KDE session!) 0. KSOCKETDIR=/tmp/ksocket-`id -un` 1. rm -f ~/.kde/socket-$HOSTNAME # (not strictly necessary but does cause this to be logged with 'artsd -l 0') 2. rm -fr $KSOCKETDIR && touch $KSOCKETDIR OR: su -c "mkdir -m 0700 $KSOCKETDIR" [OTHER_USER] 3. artsd -l 0 -a alsa OR: kdeinit OR: lnusertemp socket Actual results: A ${KSOCKETDIR}XXXXXX directory is created by mktemp(3), with all the usual implications, then symlinked to ~/.kde/socket-$HOSTNAME. Expected results: mkdtemp(3) should be used to create the fallback socket directory instead of mktemp(3). Additional info: This was fixed upstream in commit cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 (together with a bunch of unrelated changes) during the Qt3->4 porting phase, so kdelibs-4.x should never have been affected by itself. However, if the socket directory is created first by aRts or KDE3, as long as it exists it would also be used by KDE4 processes. The relevant part of said commit should backport easily to both arts (mcop/mcoputils.cc) and kdelibs3 (kinit/lnusertemp.c): https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c References: https://bugzilla.redhat.com/show_bug.cgi?id=1280543 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7543
bugbot adjusting priority
Can not find the backport of arts (mcop/mcoputils.cc), could you please help find it.
Hi meissner, aRts is no longer under development and I can not find its upstream, do you know where it is?
SUSE-SU-2018:3487-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 958347 CVE References: CVE-2015-7543 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): kdelibs3-3.5.10-23.30.5.1 SUSE Linux Enterprise Server 11-SP4 (src): kdelibs3-3.5.10-23.30.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kdelibs3-3.5.10-23.30.5.1
arts fix for SLE10 The target project SUSE:SLE-10-SP2:Update:Test is not accepting requests, so I submitted against SUSE:SLE-10-SP4:Update:Test: - https://build.suse.de/request/show/217595
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2020-06-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64462
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2020-06-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64464
Hi security team, The patch for arts was rebased to SUSE:SLE-11:Update: - https://build.suse.de/request/show/217598 However, the maintenance team has concerns about the patch and declined it. Could you give me some suggestions that how should we proceed with sr?
(it was the autobuild team, and yes the pathc looks weird.) Security will take a look and help.
Created attachment 838454 [details] corrected patch
In attachment 838454 [details] you can find a cleaned up patch to use for the update. To my understanding apart from the cosmetics the original patch was technically also correct.
(In reply to Matthias Gerstner from comment #20) > Created attachment 838454 [details] > corrected patch Updated the patch and resubmitted - arts fix for SUSE:SLE-10-SP3:Update:Test https://build.suse.de/request/show/219504 - arts fix for SUSE:SLE-11:Update https://build.suse.de/request/show/219503 - kdelibs3 fix for SUSE:SLE-10-SP3:Update:Test https://build.suse.de/request/show/219505
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2020-07-06. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64469
request accepted.
Done