REDHAT-BUG-1280543: Race Condition
First published: Thu Nov 12 2015(Updated: )
Description of problem: aRts and kdelibs3 each use their own copy of the same "lnusertemp" code to create a user-specific socket directory for IPC. If the usual location, which is well-known, is unavailable, a random directory name is created with mktemp(3). A malicious process could therefore create the well-known location to force the race condition inherit in mktemp(3), and then potentially beat it in order to hijack the IPC of aRts and/or KDE. Version-Release number of selected component (if applicable): arts-1.5.10-26.fc22.x86_64 kdelibs3-3.5.10-68.fc22.x86_64 (I believe all versions of Fedora are affected, as well as RHEL 5 and 6) Steps to Reproduce: (Warning: Do NOT try this during a KDE session!) 0. KSOCKETDIR=/tmp/ksocket-`id -un` 1. rm -f ~/.kde/socket-$HOSTNAME # (not strictly necessary but does cause this to be logged with 'artsd -l 0') 2. rm -fr $KSOCKETDIR && touch $KSOCKETDIR OR: su -c "mkdir -m 0700 $KSOCKETDIR" [OTHER_USER] 3. artsd -l 0 -a alsa OR: kdeinit OR: lnusertemp socket Actual results: A ${KSOCKETDIR}XXXXXX directory is created by mktemp(3), with all the usual implications, then symlinked to ~/.kde/socket-$HOSTNAME. Expected results: mkdtemp(3) should be used to create the fallback socket directory instead of mktemp(3). Additional info: This was fixed upstream in commit cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 (together with a bunch of unrelated changes) during the Qt3->4 porting phase, so kdelibs-4.x should never have been affected by itself. However, if the socket directory is created first by aRts or KDE3, as long as it exists it would also be used by KDE4 processes. The relevant part of said commit should backport easily to both arts (mcop/mcoputils.cc) and kdelibs3 (kinit/lnusertemp.c): <a href="https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c">https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE aRts | ||
| KDE kdelibs3 | ||
| Fedora | <=22 | |
| Red Hat Enterprise Linux | >5<=6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1289235
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1289236
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1289237
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1289238
- https://bugs.trinitydesktop.org/show_bug.cgi?id=2556
- http://pkgs.fedoraproject.org/cgit/arts.git/plain/arts-1.5.10-CVE-2015-7543.patch
- http://pkgs.fedoraproject.org/cgit/kdelibs3.git/plain/kdelibs-3.5.10-CVE-2015-7543.patch
- https://bugzilla.redhat.com/show_bug.cgi?id=1280543
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-7543
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/kde
- canonical/kde arts
- canonical/kde kdelibs3
- vendor/fedora
- canonical/fedora
- vendor/red hat
- canonical/red hat enterprise linux