The init script for ASSP launches a perl script as root, start-stop-daemon ... --startas /usr/share/assp/assp.pl but that script is owned by the "assp" user, -rwxr-xr-x 1 assp assp 1787042 Aug 31 07:44 /usr/share/assp/assp.pl so he can run whatever he wants as root when the service is started.
@Maintainer please call for stabilization when ready. @mjo was this reported upstream? It would be good to request a CVE for this issue if possible too. Thank you, Gentoo Security Padawan ChrisADR
Our ebuild does, # Lock down the files/data fowners assp:assp -R /usr/share/assp so I don't think it's an upstream issue, but you'd have to dig through their build system to rule it out.
(In reply to Michael Orlitzky from comment #2) > Our ebuild does, > > # Lock down the files/data > fowners assp:assp -R /usr/share/assp > > so I don't think it's an upstream issue, but you'd have to dig through their > build system to rule it out. Thank you for the clarification. @Maintainer please call for stabilization when necessary. Gentoo Security Padawan ChrisADR
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0ebfbc763961a1a7b5c7adbdc53fc370870df4f commit d0ebfbc763961a1a7b5c7adbdc53fc370870df4f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-12-01 18:22:34 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-12-01 18:23:02 +0000 mail-filter/assp: Remove last-rited pkg Bug: https://bugs.gentoo.org/629442 Signed-off-by: Michał Górny <mgorny@gentoo.org> mail-filter/assp/Manifest | 3 - mail-filter/assp/assp-1.8.5.9.ebuild | 178 ------------------------------ mail-filter/assp/assp-1.9.4.9.ebuild | 179 ------------------------------- mail-filter/assp/assp-1.9.8.13030.ebuild | 179 ------------------------------- mail-filter/assp/files/asspd.init | 21 ---- mail-filter/assp/metadata.xml | 25 ----- profiles/package.mask | 5 - 7 files changed, 590 deletions(-)
