Created attachment 494568 [details] spiped.initd-r1 The init script for spiped gives ownership of its PID file directory to the daemon's runtime user: start() { checkconfig || return 1 ebegin "Starting ${SVCNAME}" checkpath -d -o "${SPIPED_USER}" -m750 "$(dirname "${PIDFILE}")" ... This can be exploited by $SPIPED_USER to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $SPIPED_USER). I've rewritten the init script to work around this by running spiped in the foreground, and by letting OpenRC background it and manage its PID file.
commit ae1766daedf1ac9b767fc682495a9e2ce123e800 (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Sat Sep 16 12:55:34 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Sat Sep 16 12:57:53 2017 +0200 net-misc/spiped: update initd script and avoid privilege escalation. Gentoo-Bug: https://bugs.gentoo.org/631022 Package-Manager: Portage-2.3.6, Repoman-2.3.1 net-misc/spiped/files/spiped.initd | 39 ++++++++++------------------- net-misc/spiped/spiped-1.6.0-r1.ebuild | 45 ++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 26 deletions(-) create mode 100644 net-misc/spiped/spiped-1.6.0-r1.ebuild Thanks for the bug report! I've performed a revbump for users to pick up the initd script update. Do you want to stabilise this package? In my opinion we should.
Yep, the security team will request stabilization (amd64 and x86) and then ask that the old versions be removed.
Alright, let's get on with it then. Arch teams, Please stabilise: =net-misc/spiped-1.6.0-r1 Thanks!
amd64 tested, ok
x86 stable
Created attachment 497508 [details] Test report for amd64 This stable request has been tested automatically on amd64. Please see the attached report. I'm still learning, so please let me know if you don't agree with my results.
OK thank you stable bot! =]
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5601e0cdf894078c423a094eec4caa5bbcc84028 commit 5601e0cdf894078c423a094eec4caa5bbcc84028 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-03 13:29:00 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-03 13:29:00 +0000 net-misc/spiped: clean up old. Bug: https://bugs.gentoo.org/631022 Package-Manager: Portage-2.3.8, Repoman-2.3.1 net-misc/spiped/Manifest | 1 - net-misc/spiped/spiped-1.5.0-r1.ebuild | 42 ------------------------------- net-misc/spiped/spiped-1.5.0-r2.ebuild | 44 --------------------------------- net-misc/spiped/spiped-1.5.0-r3.ebuild | 45 ---------------------------------- net-misc/spiped/spiped-1.6.0.ebuild | 45 ---------------------------------- 5 files changed, 177 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2982a4581bf60c9fcc783a7faa9da760f7bd2df commit a2982a4581bf60c9fcc783a7faa9da760f7bd2df Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-03 13:28:12 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-03 13:28:12 +0000 net-misc/spiped: stable for amd64. Bug: https://bugs.gentoo.org/631022 Package-Manager: Portage-2.3.8, Repoman-2.3.1 net-misc/spiped/spiped-1.6.0-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Security team, Please vote.
GLSA Vote: No