630900 – mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_postinst

Bug 630900 - mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_postinst

Summary: mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_...

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security Audit Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-13 16:20 UTC by Michael Orlitzky
Modified:	2018-04-21 10:40 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-13 16:20:48 UTC

The anomy-sanitizer ebuild calls "chown -R" in pkg_postinst:

  pkg_postinst() {
      chown -R sanitizer:sanitizer "${ROOT}"/${SANI_WORKDIR}

The "sanitizer" user can exploit this to gain root by placing a link in SANI_WORKDIR. For example,

  1. emerge anomy-sanitizer
  2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/sanitizer/x' sanitizer
  3. emerge anomy-sanitizer
  4. /etc/passwd is owned by "sanitizer"

I'm marking this private but the package is maintainer-needed, so security@ please CC someone who might want to fix it.

Comment 1 Mikle Kolyada (RETIRED) archtester

2018-04-21 10:40:41 UTC

The package has been removed.