Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699860 (CVE-2019-12779)

Summary: <sys-cluster/libqb-1.0.5: insecure treatment of IPC (temporary) files (CVE-2019-12779)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: cluster
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/13746
https://bugs.gentoo.org/show_bug.cgi?id=704514
Whiteboard: B1 [glsa+ cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 18:06:40 UTC
CVE-2019-12779 (https://nvd.nist.gov/vuln/detail/CVE-2019-12779):
  libqb before 1.0.5 allows local users to overwrite arbitrary files via a
  symlink attack, because it uses predictable filenames (under /dev/shm and
  /tmp) without O_EXCL.
Comment 1 Wim Muskee 2019-11-25 06:19:36 UTC
The https://github.com/gentoo/gentoo/pull/13746.patch contains a bump to libqb-1.0.5 [PATCH 3/3].
Comment 2 Larry the Git Cow gentoo-dev 2019-12-11 17:09:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd35a6d8e2110d67918cb5cfff48d234ceb2c12e

commit fd35a6d8e2110d67918cb5cfff48d234ceb2c12e
Author:     Wim Muskee <wimmuskee@gmail.com>
AuthorDate: 2019-11-23 20:40:56 +0000
Commit:     Alexys Jacob <ultrabug@gentoo.org>
CommitDate: 2019-12-11 17:08:30 +0000

    sys-cluster/libqb: version bump to 1.0.5
    
    Bug: https://bugs.gentoo.org/699860
    Signed-off-by: Wim Muskee <wimmuskee@gmail.com>
    Signed-off-by: Alexys Jacob <ultrabug@gentoo.org>

 sys-cluster/libqb/Manifest           |  1 +
 sys-cluster/libqb/libqb-1.0.5.ebuild | 52 ++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-01-02 21:44:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e5e69bf829c1d7972ad069d415f24937417ffa4

commit 7e5e69bf829c1d7972ad069d415f24937417ffa4
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2020-01-02 21:38:41 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2020-01-02 21:44:12 +0000

    sys-cluster/libqb: 1.9.0
    
    Bug: https://bugs.gentoo.org/704514
    Bug: https://bugs.gentoo.org/699860
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.84, Repoman-2.3.20

 sys-cluster/libqb/Manifest           |  1 +
 sys-cluster/libqb/libqb-1.9.0.ebuild | 62 ++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
Comment 4 Sebastian Pipping gentoo-dev 2020-01-02 21:55:03 UTC
Please note that the link magic in libqb 1.0.5 causes link errors with dependees (see bug #704514) so some users may have a hard time getting off vulnerable libqb 1.0.1.  There is 1.0.9 in tree now, I hope that helps this path.
Comment 5 Sebastian Pipping gentoo-dev 2020-01-02 21:57:48 UTC
(In reply to Sebastian Pipping from comment #4)
> [..] There is 1.0.9 in tree now, [..]

1.9.0, sorry.
Comment 6 Sam James archtester gentoo-dev Security 2020-07-20 21:27:25 UTC
(In reply to Sebastian Pipping from comment #5)
> (In reply to Sebastian Pipping from comment #4)
> > [..] There is 1.0.9 in tree now, [..]
> 
> 1.9.0, sorry.

Let's call this the stable candidate, and do it shortly unless somebody objects.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-08-01 15:18:03 UTC
hppa stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-08-29 17:58:03 UTC
x86 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 07:56:09 UTC
ppc64 stable
Comment 10 NATTkA bot gentoo-dev 2021-03-20 11:41:05 UTC Comment hidden (obsolete)
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2021-03-21 10:29:21 UTC
Both amd64 and ppc have latest version stable.
Comment 12 NATTkA bot gentoo-dev 2021-04-01 20:13:21 UTC
Unable to check for sanity:

> no match for package: sys-cluster/libqb-1.9.0
Comment 13 Thomas Deutschmann gentoo-dev Security 2021-05-26 21:27:33 UTC
Dropping bug 720910 which did not block stabilization.

New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-03 03:30:07 UTC
This issue was resolved and addressed in
 GLSA 202107-03 at https://security.gentoo.org/glsa/202107-03
by GLSA coordinator John Helmert III (ajak).