1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
|
Subject: CVE-2020-14019 saveconfig: open the temp configfile with modes set
Author: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Date: Thu, 28 May 2020 19:53:04 +0530
Bug-Debian: https://bugs.debian.org/972227
Last-Update: 2020-11-22
Index: python-rtslib-fb/rtslib/root.py
===================================================================
--- python-rtslib-fb.orig/rtslib/root.py
+++ python-rtslib-fb/rtslib/root.py
@@ -453,8 +453,25 @@ class RTSRoot(CFSNode):
tmp_file = save_file + ".temp"
- with open(tmp_file, "w+") as f:
- os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IWUSR)
+ mode = stat.S_IRUSR | stat.S_IWUSR # 0o600
+ umask = 0o777 ^ mode # Prevents always downgrading umask to 0
+
+ # For security, remove file with potentially elevated mode
+ try:
+ os.remove(tmp_file)
+ except OSError:
+ pass
+
+ umask_original = os.umask(umask)
+ # Even though the old file is first deleted, a race condition is still
+ # possible. Including os.O_EXCL with os.O_CREAT in the flags will
+ # prevent the file from being created if it exists due to a race
+ try:
+ fdesc = os.open(tmp_file, os.O_WRONLY | os.O_CREAT | os.O_EXCL, mode)
+ finally:
+ os.umask(umask_original)
+
+ with os.fdopen(fdesc, 'w+') as f:
f.write(json.dumps(saveconf, sort_keys=True, indent=2))
f.write("\n")
f.flush()
|