The icinga2 systemd service file allows the unprivileged $ICINGA2_USER to gain root privileges by replacing the target of "chown" with a link. The vulnerability itself is in another script called "prepare-dirs" that is executed before starting the systemd service. Our OpenRC service script is not vulnerable. This hasn't been fixed upstream yet, but my recommendation is that the $ICINGA2_USER and $ICINGA2_GROUP runtime variables be eliminated. Trying to change an in-use UID/GID on a live system is fraught with dangers like these.
Upsteam has fixed issue in: https://github.com/Icinga/icinga2/milestone/68 with https://github.com/Icinga/icinga2/commit/5aafc7eda5c1b026a993fc2782fa84b8f3e8e052 Tree looks good! Keywords for net-analyzer/icinga2: | a | | | m | | | d x | | | 6 8 | | | 4 6 | u | | a a a p r s | | | n | | l m r i p i h m s p m f f | e u s | r | p d a m a p c s x p 6 3 a i b b | a s l | e | h 6 r 6 6 p 6 c 8 p 8 9 s r p s s | p e o | p | a 4 m 4 4 c 4 v 6 a k 0 h c s d d | i d t | o -------+-----------------------------------+-------+------- 2.10.5 | o + ~ ~ o ~ ~ o + o o o o o o o o | 6 o 0 | gentoo 9999 | o o o o o o o o o o o o o o o o o | 6 o | gentoo @security please proceed.
Upstream's first release with the fix-commit is v2.8.2. Tree was clean with our commit dfff36d5a809ea50f80c1a0b21e2469236399e34: commit dfff36d5a809ea50f80c1a0b21e2469236399e34 Author: Matthew Thode <prometheanfire@gentoo.org> Date: Thu Mar 22 12:17:01 2018 -0500 net-analyzer/icinga2: 2.8.2 stable amd64 x86 ppc ppc64 removed 2.8.1, fast stable with removal for the following CVEs CVE-2017-16933, CVE-2018-6532, CVE-2018-6533, CVE-2018-6534, CVE-2018-6535, CVE-2018-6536 Package-Manager: Portage-2.3.24, Repoman-2.3.6 delete mode 100644 net-analyzer/icinga2/icinga2-2.8.1.ebuild
Let's just close it then, the tree has been clean for a good while.
