Created attachment 494768 [details] smokeping-2.6.11-r1.ebuild The init script for smokeping gives ownership of its PID file directory to the "smokeping" user: start() { checkconfig || return 1 checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping ... This can be exploited by the "smokeping" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are under the control of the "smokeping" user). Since smokeping cannot drop privileges itself, there is no way to safely use the PID file that it creates: to run as a restricted user, we need start-stop-daemon to execute smokeping as a restricted user, after which it's already to late. I've rewritten the init script to work around this by passing "--nodaemon" to smokeping, and by letting OpenRC background it and manage its PID file. Since smokeping insists on writing a PID file (it won't start otherwise), I've modified the ebuild to stick the unsafe PID file in /var/lib/smokeping. Now that /run/smokeping is unused, the tmpfiles.d entry is no longer needed.
Created attachment 494770 [details] smokeping.init.5
One more thing: I dropped the line, checkpath -d -m 0755 -o smokeping:smokeping /var/cache/smokeping because /var/cache/smokeping doesn't appear in the config anywhere (and apparently systemd doesn't need it). If I messed that up, just add it back.
@maintainer(s), ebuild provided, please call for stabilization when ready, thank you. Gentoo Security Padawan Daj Uan (jmbailey/mbailey_j)
(In reply to jmbailey from comment #3) > @maintainer(s), ebuild provided, please call for stabilization when ready, > thank you. > > Gentoo Security Padawan > Daj Uan (jmbailey/mbailey_j) the ebuild would need to be in the tree first.
(In reply to Michael Orlitzky from comment #1) > Created attachment 494770 [details] > smokeping.init.5 It looks like this new init.d script does not fix bug #602652.
(In reply to Jeroen Roovers from comment #5) > (In reply to Michael Orlitzky from comment #1) > > Created attachment 494770 [details] > > smokeping.init.5 > > It looks like this new init.d script does not fix bug #602652. That said, I have added it in 2.7.1.
--nodaemon breaks event logging to syslog bug #651212
Maintainer(s): Ping.
commit eeb4da5e8fa5e420eaa8756e1ab144d2799d1108 Author: John Helmert III <ajak@gentoo.org> Date: Sun Aug 14 13:58:42 2022 -0500 profiles: last rite net-analyzer/smokeping Signed-off-by: John Helmert III <ajak@gentoo.org>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2310b0cd4914c79b2e8f3cb424259bb6e635a195 commit 2310b0cd4914c79b2e8f3cb424259bb6e635a195 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-09-18 21:16:58 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-18 21:16:58 +0000 net-analyzer/smokeping: treeclean Bug: https://bugs.gentoo.org/631140 Signed-off-by: John Helmert III <ajak@gentoo.org> net-analyzer/smokeping/Manifest | 1 - net-analyzer/smokeping/files/79_smokeping.conf | 15 --- net-analyzer/smokeping/files/smokeping.conf | 1 - net-analyzer/smokeping/files/smokeping.init.5 | 56 --------- net-analyzer/smokeping/files/smokeping.service | 10 -- net-analyzer/smokeping/metadata.xml | 12 -- net-analyzer/smokeping/smokeping-2.7.3-r1.ebuild | 143 ----------------------- profiles/package.mask | 5 - 8 files changed, 243 deletions(-)
GLSA request filed, CVE pending
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=43b264c01a53f702e49274e4685d2a50c5d40ca2 commit 43b264c01a53f702e49274e4685d2a50c5d40ca2 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:34:27 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:20 +0000 [ GLSA 202209-08 ] Smokeping: Multiple vulnerabilities Bug: https://bugs.gentoo.org/602562 Bug: https://bugs.gentoo.org/631140 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-08.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+)
