libqb / CVE-2019-12779

To: debian-lts@lists.debian.org
Subject: libqb / CVE-2019-12779
From: Brian May <brian@linuxpenguins.xyz>
Date: Tue, 18 Jun 2019 18:05:57 +1000
Message-id: <[🔎] 87sgs7z5ay.fsf@silverfish.pri>

The upstream patch patches "c->description" which is not used in
Jessie. OK, so probably not vulnerable.

Looking at data/dla-needed.txt:

libqb
  NOTE: 20190616: Upstream patch does not apply at all, but it appears that     
  NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or
  NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby)

OK, Good point. However these files are opened with posix_mq_create,
which uses O_EXCL - my understanding is that this means these functions
are not vulnerable to symlink attacks, etc.

However lib/ipc_shm.c has calls to qb_rb_open, which doesn't have
O_EXCL, thinking this might be a vulnerability.

lib/log_blackbox.c looks similar.

qb_rb_open calls qb_sys_mmap_file_open which in turn calls
open_mmap_file which can support calling mkstemp to generate the
filename, however I think this isn't getting used (no XXXXXX in filename
string), so vulnerable still.

If you want to look at libqb probably worth double checking this in case
I got something wrong/confused :-)
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: libqb / CVE-2019-12779
  - From: "Chris Lamb" <lamby@debian.org>
- Re: libqb / CVE-2019-12779
  - From: Markus Koschany <apo@debian.org>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Next by Date: Re: libqb / CVE-2019-12779
Previous by thread: Re: Request for help/comments: sqlite3
Next by thread: Re: libqb / CVE-2019-12779
Index(es):
- Date
- Thread