813282 – (CVE-2021-41387) <sys-auth/seatd-0.6.2: Vulnerability in seatd-launch executable

Bug 813282 (CVE-2021-41387) - <sys-auth/seatd-0.6.2: Vulnerability in seatd-launch executable

Summary: <sys-auth/seatd-0.6.2: Vulnerability in seatd-launch executable

Status:	RESOLVED FIXED

Alias:	CVE-2021-41387

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://lists.sr.ht/~kennylevinsen/se...
Whiteboard:	~1 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2021-09-16 06:45 UTC by Haelwenn (lanodan) Monnier
Modified:	2021-09-18 00:34 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/22305
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Haelwenn (lanodan) Monnier 2021-09-16 06:45:54 UTC

> A user could manipulate the PATH environment variable to cause
> seatd-launch to load a different executable than seatd. If seatd-launch
> had the SUID bit set and was owned by a privileged user, this could be
> used to mount a privilege escalation attack.

Only 0.6.0 and 0.6.1 (not in gentoo) are vulnerable, it is fixed in 0.6.2.

Comment 1 Larry the Git Cow gentoo-dev

2021-09-17 01:52:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1084ca6540f023f71ec0610e893137e829bb74c2

commit 1084ca6540f023f71ec0610e893137e829bb74c2
Author:     Haelwenn (lanodan) Monnier <contact@hacktivis.me>
AuthorDate: 2021-09-16 06:48:03 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-09-17 01:52:20 +0000

    sys-auth/seatd: Security cleanup, 0.6.0
    
    Bug: https://bugs.gentoo.org/813282
    Signed-off-by: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
    Closes: https://github.com/gentoo/gentoo/pull/22305
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 sys-auth/seatd/Manifest              |  1 -
 sys-auth/seatd/seatd-0.6.0-r1.ebuild | 55 ------------------------------------
 2 files changed, 56 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=176ce89284de2a37bbb373e07a2c617d0f17117b

commit 176ce89284de2a37bbb373e07a2c617d0f17117b
Author:     Haelwenn (lanodan) Monnier <contact@hacktivis.me>
AuthorDate: 2021-09-16 06:47:30 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-09-17 01:52:20 +0000

    sys-auth/seatd: Version bump, 0.6.2
    
    Bug: https://bugs.gentoo.org/813282
    Signed-off-by: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 sys-auth/seatd/Manifest           |  1 +
 sys-auth/seatd/seatd-0.6.2.ebuild | 55 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

Comment 2 John Helmert III archtester

2021-09-17 01:55:27 UTC

Please file a stablereq when ready!

Comment 3 Haelwenn (lanodan) Monnier 2021-09-17 02:06:38 UTC

(In reply to John Helmert III from comment #2)
> Please file a stablereq when ready!

Erm sure but seatd-0.6.0 wasn't stabilized?

Comment 4 Ionen Wolkens gentoo-dev

2021-09-17 02:07:41 UTC

I think there's just confusion, 0.5.0 is not affected so the stablereq isn't necessary here.

This affects seatd-launch which doesn't exist prior to 0.6.0

Comment 5 John Helmert III archtester

2021-09-17 02:27:10 UTC

Ah, yes, if only unstable versions were affected we don't need to do anything further. All done!