930945 – <gui-wm/hyprland-0.40.0: privilege escalation via unsafe permissions & handling of temporary files

Bug 930945 - <gui-wm/hyprland-0.40.0: privilege escalation via unsafe permissions & handling of temporary files

Summary: <gui-wm/hyprland-0.40.0: privilege escalation via unsafe permissions & handli...

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B2 [stable?]
Keywords:	PullRequest

Depends on:	931680
Blocks:
	Show dependency tree

Reported:	2024-04-29 21:27 UTC by Sam James
Modified:	2024-05-16 02:32 UTC (History)
CC List:	4 users (show)

See Also:	930831 https://github.com/gentoo/gentoo/pull/36666
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-04-29 21:27:02 UTC

bug 930831 was filed for this at first but mixing the two issues of:
a) the vulnerability itself, and
b) whether hyprland should remain in ::gentoo
isn't going well.

So, let's use this bug for the standard, usual security tracking.

--

Insecurely creating /tmp/hypr and compiling/running code in it:
https://www.openwall.com/lists/oss-security/2024/04/28/3
https://github.com/hyprwm/Hyprland/issues/5787#issuecomment-2081572992

https://bugs.gentoo.org/930831#c19
>No, the user would need to load _any_ plugin, and then a user
>with less permissions can camp and wait until that happens
>(possibly creating the directory first, before hyprland starts up),
>and inject their own plugin.

>This is a somewhat standard form of privilege escalation
>when it comes to unsafe handling of temporary files and directories.

Comment 1 Sam James archtester

2024-04-29 21:27:40 UTC

And to be absolutely crystal clear: this is the same issue which prompted bug 930831 to be filed, and I'm just splitting this out because that's how we normally handle (possible) security vulnerabilities.

Comment 2 Sam James archtester

2024-04-29 21:30:04 UTC

Fix commits:
* https://github.com/hyprwm/Hyprland/commit/82a6fba6ec0c5a667582b9ad48adadc36bef2702 (refactoring)
* https://github.com/hyprwm/Hyprland/commit/28c85619243e6320e75d7abcfe8244fa99d054dd
* https://github.com/hyprwm/Hyprland/commit/b164e67d8b1f12420ec44a1c837af7923559ccf2
* https://github.com/hyprwm/Hyprland/commit/f7815dab42ee570c38bd7ae85a4f2a6e36803809
* https://github.com/hyprwm/Hyprland/commit/335015fe2defae76b4fd22ebfe8e3614a01495b7
* https://github.com/hyprwm/Hyprland/commit/95a5e75c260a2ed46e7b21b9a9bb7e58bdcdfa21
* https://github.com/hyprwm/Hyprland/commit/d20ee312108d0e7879011cfffa3a83d06e48d29e (fixup)
* https://github.com/hyprwm/Hyprland/commit/a5a648091760ac002120fab18247e5292b6482de (https://github.com/hyprwm/Hyprland/pull/5788)

There's also https://github.com/hyprwm/Hyprland/pull/5801.

There are also comments from solar on Twitter which point out, I think, some outstanding issues not yet addressed but I didn't check thoroughly.

Comment 3 Jose Maldonado 2024-05-02 18:28:20 UTC

(In reply to Sam James from comment #2)
> Fix commits:
> *
> https://github.com/hyprwm/Hyprland/commit/
> 82a6fba6ec0c5a667582b9ad48adadc36bef2702 (refactoring)
> *
> https://github.com/hyprwm/Hyprland/commit/
> 28c85619243e6320e75d7abcfe8244fa99d054dd
> *
> https://github.com/hyprwm/Hyprland/commit/
> b164e67d8b1f12420ec44a1c837af7923559ccf2
> *
> https://github.com/hyprwm/Hyprland/commit/
> f7815dab42ee570c38bd7ae85a4f2a6e36803809
> *
> https://github.com/hyprwm/Hyprland/commit/
> 335015fe2defae76b4fd22ebfe8e3614a01495b7
> *
> https://github.com/hyprwm/Hyprland/commit/
> 95a5e75c260a2ed46e7b21b9a9bb7e58bdcdfa21
> *
> https://github.com/hyprwm/Hyprland/commit/
> d20ee312108d0e7879011cfffa3a83d06e48d29e (fixup)
> *
> https://github.com/hyprwm/Hyprland/commit/
> a5a648091760ac002120fab18247e5292b6482de
> (https://github.com/hyprwm/Hyprland/pull/5788)
> 
> There's also https://github.com/hyprwm/Hyprland/pull/5801.
> 
> There are also comments from solar on Twitter which point out, I think, some
> outstanding issues not yet addressed but I didn't check thoroughly.

All these changes have now been merged, and the issue appears to be resolved.

Comment 4 Sam James archtester

2024-05-02 18:35:47 UTC

Security bugs in Gentoo get closed once a fixed version is in tree, stabled if relevant, cleaned up vulnerable versions, and possibly a GLSA published.

Comment 5 Jose Maldonado 2024-05-02 19:28:07 UTC

(In reply to Sam James from comment #4)
> Security bugs in Gentoo get closed once a fixed version is in tree, stabled
> if relevant, cleaned up vulnerable versions, and possibly a GLSA published.

I understand, and it is correct, until the patch is in the tree, it cannot be said to be patched in Gentoo.

Comment 6 Larry the Git Cow gentoo-dev

2024-05-15 08:04:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fe69c4c758d917bc5f042d99c33867c95d5bebc

commit 0fe69c4c758d917bc5f042d99c33867c95d5bebc
Author:     Julien Roy <julien@jroy.ca>
AuthorDate: 2024-05-13 18:47:24 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-05-15 08:03:45 +0000

    gui-wm/hyprland: add 0.40.0
    
    Closes: https://bugs.gentoo.org/931680
    Bug: https://bugs.gentoo.org/930945
    Signed-off-by: Julien Roy <julien@jroy.ca>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 gui-wm/hyprland/Manifest                           |   1 +
 .../files/wlroots-hyprland-apply-0.40.0.patch      |  23 ++++
 gui-wm/hyprland/hyprland-0.40.0.ebuild             | 147 +++++++++++++++++++++
 3 files changed, 171 insertions(+)