The logcheck ebuilds all call "chown -R" on the root filesystem during pkg_postinst: pkg_postinst() { chown -R logcheck:logcheck /etc/logcheck /var/lib/logcheck || die This is exploitable in the same way that the init scripts were: the first install is safe, but then the logcheck user can place a hard link in either of those directories pointing to e.g. /root/.bashrc. The next time logcheck is installed, the ebuild will call chown on the hardlink, and give ownership of /root/.bashrc to the "logcheck" user. I'm marking this private, but the package is maintainer-needed, so it's up to @security who to CC. If someone wants to take a shot at it, my first attempt would be to use "fowners root:logcheck ..." and to do it on $D in src_install. Another call to fperms could then make those directories group-rwx. Neither call should operate recursively.
@mrueg: Hi Manuel, I see you're the last dev to touch this package with a version bump earlier this year. Maybe you want to take a crack at fixing this issue and taking over maintainership of the package?
I'm not interested in maintaining it. the cronjob is probably similarly vulnerable in /etc/cron.hourly/logcheck.cron > chown -R logcheck:logcheck /var/lock/logcheck
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
(In reply to Larry the Git Cow from comment #18) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=2aa8d23c8600f65ddf12a27696c2b4b99babbd79 > > commit 2aa8d23c8600f65ddf12a27696c2b4b99babbd79 > Author: John Helmert III <ajak@gentoo.org> > AuthorDate: 2022-08-11 03:50:22 +0000 > Commit: John Helmert III <ajak@gentoo.org> > CommitDate: 2022-08-11 03:50:22 +0000 > > profiles: last rite app-admin/logcheck > > Bug: https://bugs.gentoo.org/730752 > Signed-off-by: John Helmert III <ajak@gentoo.org> > > profiles/package.mask | 5 +++++ > 1 file changed, 5 insertions(+)
Created attachment 801076 [details, diff] Fix privilege escalation If it is just the privilege escalation, this is easily fixable (see patch). Regarding a maintainer I cannot help, sorry. :)
I'd be willing to proxy maintainer logcheck to keep it in the tree.
(In reply to Philippe Chaintreuil from comment #7) > I'd be willing to proxy maintainer logcheck to keep it in the tree. That'd be great, thank you.
Also, there was a comment about logcheck being "unmaintained since the git transition" in the last rights, but I can't figure out what that's referring to. It seems like this is the current git repo: https://salsa.debian.org/debian/logcheck And that had a commit 2 weeks ago, plus several commits and a new release (1.3.24) in July. So this doesn't seem to be unmaintained, though admittedly this is an outsider's view and there may be stuff behind the scenes that I don't see.
(In reply to Jared B. from comment #9) > Also, there was a comment about logcheck being "unmaintained since the git > transition" in the last rights, but I can't figure out what that's referring > to. It seems like this is the current git repo: > > https://salsa.debian.org/debian/logcheck > > And that had a commit 2 weeks ago, plus several commits and a new release > (1.3.24) in July. So this doesn't seem to be unmaintained, though > admittedly this is an outsider's view and there may be stuff behind the > scenes that I don't see. The last maintainer in Gentoo dropped the package in 2017: commit 4228e93b4a73fd3f462d34eb0ce9949b066a7873 Author: Pawel Hajdan, Jr <phajdan.jr@gentoo.org> Date: Tue May 2 12:27:19 2017 +0200 app-admin/logcheck: remove phajdan.jr from maintainers -> maintainer-needed Package-Manager: Portage-2.3.3, Repoman-2.3.1 diff --git a/app-admin/logcheck/metadata.xml b/app-admin/logcheck/metadata.xml index cc8cd37515a7..7a38bb900964 100644 --- a/app-admin/logcheck/metadata.xml +++ b/app-admin/logcheck/metadata.xml @@ -1,8 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> - <maintainer type="person"> - <email>phajdan.jr@gentoo.org</email> - <name>Pawel Hajdan jr</name> - </maintainer> + <!-- maintainer-needed --> </pkgmetadata> Before that, phajdan hadn't even touched the package since the ::gentoo git transition in 2015: https://github.com/gentoo/gentoo/commits/master/app-admin/logcheck
(In reply to John Helmert III from comment #10) > The last maintainer in Gentoo dropped the package in 2017: Gotcha. I had read that as unmaintained upstream. Thanks for clarifying.
(In reply to Sam James from comment #8) > (In reply to Philippe Chaintreuil from comment #7) > > I'd be willing to proxy maintainer logcheck to keep it in the tree. > > That'd be great, thank you. Actually, I'm going to have to retract this. Turns out I'm still using logsentry, not logcheck. (I was confused since logsentry's script is called logcheck.) Sorry for the fake-out. :-(
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1517666b3bb5e08ad6a85aceada2e9ddfc25f10 commit c1517666b3bb5e08ad6a85aceada2e9ddfc25f10 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-09-18 21:20:38 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-18 21:20:38 +0000 app-admin/logcheck: treeclean Bug: https://bugs.gentoo.org/630752 Signed-off-by: John Helmert III <ajak@gentoo.org> app-admin/logcheck/Manifest | 1 - app-admin/logcheck/files/logcheck.cron | 10 ----- app-admin/logcheck/logcheck-1.3.23.ebuild | 65 ------------------------------- app-admin/logcheck/metadata.xml | 5 --- profiles/package.mask | 5 --- 5 files changed, 86 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31c1a39700a70382a13f65f6bef70698c174d8b4 commit 31c1a39700a70382a13f65f6bef70698c174d8b4 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-09-18 21:19:57 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-18 21:19:57 +0000 net-analyzer/sguil-sensor: treeclean Bug: https://bugs.gentoo.org/630752 Signed-off-by: John Helmert III <ajak@gentoo.org> net-analyzer/sguil-sensor/Manifest | 1 - net-analyzer/sguil-sensor/files/log_packets.confd | 18 ----- net-analyzer/sguil-sensor/files/log_packets.initd | 91 ---------------------- net-analyzer/sguil-sensor/files/sensor_agent.initd | 29 ------- net-analyzer/sguil-sensor/metadata.xml | 12 --- .../sguil-sensor/sguil-sensor-1.0.0-r3.ebuild | 81 ------------------- profiles/package.mask | 5 -- 7 files changed, 237 deletions(-)
GLSA request filed, CVE pending
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c119633f474d495980aaa3db92f8d90254200747 commit c119633f474d495980aaa3db92f8d90254200747 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:34:57 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:21 +0000 [ GLSA 202209-10 ] Logcheck: Root privilege escalation Bug: https://bugs.gentoo.org/630752 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-10.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)
