692522 – app-admin/yaala: insecure permissions

Bug 692522 - app-admin/yaala: insecure permissions

Summary: app-admin/yaala: insecure permissions

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Deadline:	2019-10-07
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [masked noglsa]
Keywords:	PMASKED

Depends on:
Blocks:

Reported:	2019-08-19 13:50 UTC by Michael Orlitzky
Modified:	2020-06-20 01:56 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2019-08-19 13:50:48 UTC

app-admin/yaala stores its persistent data in /var/lib/yaala. It also installs a cron job that runs as root, that is (fortunately?) broken by default (bug 678880) and which makes use of that path.

Anyway, the ebuild makes that path world-writable:

  keepdir /var/lib/${PN}
  fperms 777 /var/lib/${PN}

This is unsafe for obvious reasons. For example, anyone on the system can symlink the data file path to an important file, and wait for root to overwrite it with log data.

Those perms should probably be 700, or 755 if you're sure that there's nothing sensitive in your logs.

Given that this is maintainer-needed and the last update was before we switched to git, I think this is a tree-clean candidate.

Comment 1 Larry the Git Cow gentoo-dev

2019-09-07 12:44:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0552e5c2919615e5a6155218131b9e8e4a23894

commit a0552e5c2919615e5a6155218131b9e8e4a23894
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-09-07 12:43:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-09-07 12:43:54 +0000

    package.mask: Last rite app-admin/yaala
    
    Bug: https://bugs.gentoo.org/692522
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2019-10-07 08:28:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6672aea9261a117b739f417a23fde3afde4e0986

commit 6672aea9261a117b739f417a23fde3afde4e0986
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-10-07 08:21:27 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-10-07 08:21:49 +0000

    app-admin/yaala: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/692522
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-admin/yaala/Manifest                           |  1 -
 .../yaala/files/yaala-0.7.3-r1-correct-paths.patch | 31 ----------
 app-admin/yaala/metadata.xml                       |  8 ---
 app-admin/yaala/yaala-0.7.3-r2.ebuild              | 72 ----------------------
 profiles/base/package.use.stable.mask              |  1 -
 profiles/package.mask                              |  6 --
 6 files changed, 119 deletions(-)

Comment 3 Michael Orlitzky gentoo-dev

2020-04-03 13:01:02 UTC

Security: ping. This can be closed.

Comment 4 Sam James archtester

2020-06-20 01:56:35 UTC

(In reply to Michael Orlitzky from comment #3)
> Security: ping. This can be closed.

Thanks.