[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling



Hi all

I have prepared a preliminary patch for wheezy. I have not yet been able to test it fully (it is building right now). It looks like attached. You may need to modify it for later versions.

Please comment. The principles should be ok even if I may have made some stupid copy+paste mistake. It worked fine in a little test program I made.

Hope this helps

// Ola

On Mon, Aug 1, 2016 at 5:53 AM, Chris Lamb <lamby@debian.org> wrote:
> 2) How do you plan to handle the "upgrade case" that is will you try to
> change the permission on already created history file or will you just
> handle the creation case?

For redis, what I did was set and then unset the umask (for creation) and
chmod(2) the file afterwards to "upgrade" existing ones.

I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename) for
various reasons.


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-



--
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Description: World readable dbshell log file
 This correction make sure the ~/.dbshell log file is not world readable.
 .
 mongodb (1:2.0.6-1deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Long Term Security Team.
   * Make sure dbshell log file is not readable by others.
Author: Ola Lundqvist <opal@debian.org>
Origin: other
Bug: https://jira.mongodb.org/browse/SERVER-25335
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908
Forwarded: no
Reviewed-By: Ola Lundqvist <opal@debian.org>
Last-Update: 2016-08-01

Index: mongodb-2.0.6/third_party/linenoise/linenoise.cpp
===================================================================
--- mongodb-2.0.6.orig/third_party/linenoise/linenoise.cpp	2012-06-04 13:42:54.000000000 +0000
+++ mongodb-2.0.6/third_party/linenoise/linenoise.cpp	2016-08-01 22:05:34.234826380 +0000
@@ -104,11 +104,13 @@
 
 #include <termios.h>
 #include <unistd.h>
+#include <fcntl.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <unistd.h>
@@ -799,6 +801,9 @@
 /* Save the history in the specified file. On success 0 is returned
  * otherwise -1 is returned. */
 int linenoiseHistorySave(const char *filename) {
+    mode_t prev_mask = umask(0022);
+    // Make sure this file is not readable by others
+    umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH);
     FILE *fp = fopen(filename,"w");
     int j;
     
@@ -817,6 +822,16 @@
  * If the file exists and the operation succeeded 0 is returned, otherwise
  * on error -1 is returned. */
 int linenoiseHistoryLoad(const char *filename) {
+    struct stat fileStat;
+    if (stat(filename,&fileStat) < 0) return -1;
+    if (fileStat.st_mode & S_IROTH ||
+	fileStat.st_mode & S_IWOTH ||
+	fileStat.st_mode & S_IXOTH) {
+      // If the file is world readable, writeable or executable
+      // make sure it is not but keep all other permissions.
+      chmod(filename, fileStat.st_mode & 0777770);
+    }
+
     FILE *fp = fopen(filename,"r");
     char buf[LINENOISE_MAX_LINE];
     

Reply to: