Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 944015 (CVE-2024-11003, CVE-2024-48990, CVE-2024-48991, CVE-2024-48992) - app-admin/needrestart: Local privilege escalation
Summary: app-admin/needrestart: Local privilege escalation
Status: CONFIRMED
Alias: CVE-2024-11003, CVE-2024-48990, CVE-2024-48991, CVE-2024-48992
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.qualys.com/2024/11/19/nee...
Whiteboard: B2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-19 16:47 UTC by Sam James
Modified: 2024-11-19 16:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-11-19 16:47:41 UTC 
"""
We discovered three fundamental vulnerabilities in needrestart (three
LPEs, Local Privilege Escalations, from any unprivileged user to full
root), which are exploitable without user interaction on Ubuntu Server
(through unattended-upgrades):

- CVE-2024-48990: local attackers can execute arbitrary code as root by
  tricking needrestart into running the Python interpreter with an
  attacker-controlled PYTHONPATH environment variable.

  Last-minute update: an additional CVE, CVE-2024-48992, has been
  assigned to needrestart because local attackers can also execute
  arbitrary code as root by tricking needrestart into running the Ruby
  interpreter with an attacker-controlled RUBYLIB environment variable.

- CVE-2024-48991: local attackers can execute arbitrary code as root by
  winning a race condition and tricking needrestart into running their
  own, fake Python interpreter (instead of the system's real Python
  interpreter).

- CVE-2024-10224: local attackers can execute arbitrary shell commands
  as root by tricking needrestart into open()ing a filename of the form
  "commands|" (technically, this vulnerability is in Perl's ScanDeps
  module, but it is unclear whether this module was ever meant to
  operate on attacker-controlled files or not).

  Last-minute update: in the end, an additional CVE, CVE-2024-11003, has
  been assigned to needrestart for calling Perl's ScanDeps module with
  attacker-controlled files.
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-11-19 16:48:09 UTC 
Please bump to 3.8 ASAP.
Comment 2 Larry the Git Cow gentoo-dev 2024-11-19 16:56:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d766c19fc7d8414502f5d478ba3c8fbf905e581c

commit d766c19fc7d8414502f5d478ba3c8fbf905e581c
Author:     Craig Andrews <candrews@gentoo.org>
AuthorDate: 2024-11-19 16:54:43 +0000
Commit:     Craig Andrews <candrews@gentoo.org>
CommitDate: 2024-11-19 16:56:43 +0000

    app-admin/needrestart: add 3.8
    
    Bug: https://bugs.gentoo.org/944015
    
    Signed-off-by: Craig Andrews <candrews@gentoo.org>

 app-admin/needrestart/Manifest                |  1 +
 app-admin/needrestart/needrestart-3.8.ebuild  | 40 +++++++++++++++++++++++++++
 app-admin/needrestart/needrestart-9999.ebuild |  1 -
 3 files changed, 41 insertions(+), 1 deletion(-)