904895 – <sys-apps/portage-3.0.47: dispatch-conf race condition with chmod on log file access

Bug 904895 - <sys-apps/portage-3.0.47: dispatch-conf race condition with chmod on log file access

Summary: <sys-apps/portage-3.0.47: dispatch-conf race condition with chmod on log file...

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	?? [stable?]
Keywords:	InVCS, PATCH

Depends on:	903973
Blocks:
	Show dependency tree

Reported:	2023-04-23 18:59 UTC by Hanno Böck
Modified:	2023-04-30 13:31 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/portage/pull/1025
Package list:
Runtime testing required:	---

Attachments
patch (portage-dispatch-conf-race.diff,666 bytes, patch) 2023-04-23 18:59 UTC, Hanno Böck	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2023-04-23 18:59:25 UTC

Created attachment 860666 [details, diff]
patch

dispatch-conf contains the following code to create the log file:

                open(self.options["log-file"], "w").close()  # Truncate it
                os.chmod(self.options["log-file"], 0o600)

This is insecure, as the file is first created with public readable permissions, and then the file permissions are changed. A malicious user could open the file in that window and read it once content is written to it.

To reproduce:
1. make sure no dispatch-conf.log exists
2. run fpracer script from https://github.com/hannob/fpracer as an unprivileged user with "./fpracer /var/log/dispatch-conf.log"
3. uncomment "log-file=/var/log/dispatch-conf.log" in /etc/dispatch-conf.conf
4. as root, run dispatch-conf and merge any new config

The user will see content of non-world-readable log file.

I consider this a low severity security issue, as the impact is limited and certain conditions need to be met for it to be exploitable. But still it should be fixed. See attached patch.

Comment 1 Sam James archtester

2023-04-23 19:14:41 UTC

Thanks Hanno.

Would you mind submitting it as a PR to github.com/gentoo/portage, attaching a git-amable patch here, or using git-send-email to the gentoo-portage-dev mailing list?

Comment 2 Hanno Böck gentoo-dev

2023-04-24 14:06:32 UTC

PR created: https://github.com/gentoo/portage/pull/1025

Comment 3 Sam James archtester

2023-04-29 04:45:25 UTC

commit 4cc3e2d39a39b422074de49e88261cdf717292d5
Author: Hanno Böck <hanno@gentoo.org>
Date:   Mon Apr 24 16:03:28 2023 +0200

    dispatch-conf: Avoid race when accessing log file

    First creating the file and then running chmod creates a security
    risk where a user could access the file. Avoid this by enforcing
    the file permissions via umask.

    Signed-off-by: Hanno Böck <hanno@gentoo.org>
    Closes: https://github.com/gentoo/portage/pull/1025
    Signed-off-by: Sam James <sam@gentoo.org>

Comment 4 Larry the Git Cow gentoo-dev

2023-04-30 04:14:19 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b3c80502e96406b4b175e2ee79eb65f3f3cd9f6

commit 5b3c80502e96406b4b175e2ee79eb65f3f3cd9f6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-30 04:13:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-30 04:13:36 +0000

    sys-apps/portage: add 3.0.47
    
    Bug: https://bugs.gentoo.org/597800
    Closes: https://bugs.gentoo.org/903973
    Closes: https://bugs.gentoo.org/875362
    Closes: https://bugs.gentoo.org/904895
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-3.0.47.ebuild | 285 +++++++++++++++++++++++++++++++++
 2 files changed, 286 insertions(+)