[Debian-ha-maintainers] Bug#927159: libqb: CVE-2019-12779: Insecure Temporary Files
Moritz Muehlenhoff
jmm at inutil.org
Mon Jun 17 08:07:56 BST 2019
On Mon, Jun 17, 2019 at 12:52:54AM +0200, wferi at niif.hu wrote:
> Dear Security Team,
>
> I'm ready to upload libqb-1.0.1-1+deb9u1 with the following debdiff:
>
> diff -Nru libqb-1.0.1/debian/changelog libqb-1.0.1/debian/changelog
> --- libqb-1.0.1/debian/changelog 2016-12-07 14:55:45.000000000 +0100
> +++ libqb-1.0.1/debian/changelog 2019-06-16 23:41:50.000000000 +0200
> @@ -1,3 +1,21 @@
> +libqb (1.0.1-1+deb9u1) stretch-security; urgency=high
> +
> + * [38e0e13] Backport upstream security fixes for CVE-2019-12779.
> + Libqb creates files in world-writable directories (/dev/shm, /tmp) with
> + rather predictable file names (for example in case of USBGuard with names
> + like /dev/shm/qb-usbguard-request-7096-835-12-data). Also O_EXCL flag is
> + not used when opening the files. This could be exploited by a local
> + attacker to overwrite privileged system files (if not restricted by
> + sandboxing, MAC or symlinking policies).
> + Original report: https://github.com/ClusterLabs/libqb/issues/338
> + Add O_EXCL: https://github.com/ClusterLabs/libqb/pull/339
> + Use mkdtemp(): https://github.com/ClusterLabs/libqb/pull/345
> + Regression fixes: https://github.com/ClusterLabs/libqb/pull/349
> + (Closes: #927159)
Debian enables fs.protected_symlinks by default since Jessie and running it
without this options is as an unsupported configuration (i.e. if anyone builds
their own kernel, they also need to enable it). This can be fixed via a point
release still, but it doesn't warrant a DSA.
Cheers,
Moritz
More information about the Debian-ha-maintainers
mailing list