Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930945 - <gui-wm/hyprland-0.40.0: privilege escalation via unsafe permissions & handling of temporary files
Summary: <gui-wm/hyprland-0.40.0: privilege escalation via unsafe permissions & handli...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [noglsa]
Keywords: PullRequest
Depends on: 931680
Blocks:
  Show dependency tree
 
Reported: 2024-04-29 21:27 UTC by Sam James
Modified: 2025-01-02 19:23 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-29 21:27:02 UTC 
bug 930831 was filed for this at first but mixing the two issues of:
a) the vulnerability itself, and
b) whether hyprland should remain in ::gentoo
isn't going well.

So, let's use this bug for the standard, usual security tracking.

--

Insecurely creating /tmp/hypr and compiling/running code in it:
https://www.openwall.com/lists/oss-security/2024/04/28/3
https://github.com/hyprwm/Hyprland/issues/5787#issuecomment-2081572992

https://bugs.gentoo.org/930831#c19
>No, the user would need to load _any_ plugin, and then a user
>with less permissions can camp and wait until that happens
>(possibly creating the directory first, before hyprland starts up),
>and inject their own plugin.

>This is a somewhat standard form of privilege escalation
>when it comes to unsafe handling of temporary files and directories.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-29 21:27:40 UTC 
And to be absolutely crystal clear: this is the same issue which prompted bug 930831 to be filed, and I'm just splitting this out because that's how we normally handle (possible) security vulnerabilities.
Comment 3 Jose Maldonado 2024-05-02 18:28:20 UTC 
(In reply to Sam James from comment #2)
> Fix commits:
> *
> https://github.com/hyprwm/Hyprland/commit/
> 82a6fba6ec0c5a667582b9ad48adadc36bef2702 (refactoring)
> *
> https://github.com/hyprwm/Hyprland/commit/
> 28c85619243e6320e75d7abcfe8244fa99d054dd
> *
> https://github.com/hyprwm/Hyprland/commit/
> b164e67d8b1f12420ec44a1c837af7923559ccf2
> *
> https://github.com/hyprwm/Hyprland/commit/
> f7815dab42ee570c38bd7ae85a4f2a6e36803809
> *
> https://github.com/hyprwm/Hyprland/commit/
> 335015fe2defae76b4fd22ebfe8e3614a01495b7
> *
> https://github.com/hyprwm/Hyprland/commit/
> 95a5e75c260a2ed46e7b21b9a9bb7e58bdcdfa21
> *
> https://github.com/hyprwm/Hyprland/commit/
> d20ee312108d0e7879011cfffa3a83d06e48d29e (fixup)
> *
> https://github.com/hyprwm/Hyprland/commit/
> a5a648091760ac002120fab18247e5292b6482de
> (https://github.com/hyprwm/Hyprland/pull/5788)
> 
> There's also https://github.com/hyprwm/Hyprland/pull/5801.
> 
> There are also comments from solar on Twitter which point out, I think, some
> outstanding issues not yet addressed but I didn't check thoroughly.

All these changes have now been merged, and the issue appears to be resolved.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-02 18:35:47 UTC 
Security bugs in Gentoo get closed once a fixed version is in tree, stabled if relevant, cleaned up vulnerable versions, and possibly a GLSA published.
Comment 5 Jose Maldonado 2024-05-02 19:28:07 UTC 
(In reply to Sam James from comment #4)
> Security bugs in Gentoo get closed once a fixed version is in tree, stabled
> if relevant, cleaned up vulnerable versions, and possibly a GLSA published.

I understand, and it is correct, until the patch is in the tree, it cannot be said to be patched in Gentoo.
Comment 6 Larry the Git Cow gentoo-dev 2024-05-15 08:04:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fe69c4c758d917bc5f042d99c33867c95d5bebc

commit 0fe69c4c758d917bc5f042d99c33867c95d5bebc
Author:     Julien Roy <julien@jroy.ca>
AuthorDate: 2024-05-13 18:47:24 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-05-15 08:03:45 +0000

    gui-wm/hyprland: add 0.40.0
    
    Closes: https://bugs.gentoo.org/931680
    Bug: https://bugs.gentoo.org/930945
    Signed-off-by: Julien Roy <julien@jroy.ca>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 gui-wm/hyprland/Manifest                           |   1 +
 .../files/wlroots-hyprland-apply-0.40.0.patch      |  23 ++++
 gui-wm/hyprland/hyprland-0.40.0.ebuild             | 147 +++++++++++++++++++++
 3 files changed, 171 insertions(+)
Comment 7 John M. Harris, Jr. 2024-09-01 02:54:50 UTC 
A newer version has been stabilized, and vulnerable versions have been removed.

https://gitweb.gentoo.org/repo/gentoo.git/commit/gui-wm/hyprland?id=631aba7a84a469c926c2c60cbec390c1ccba71b6
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-01-02 19:23:09 UTC 
GLSA vote: no (the ecosystem has much churn still)