Summary: | <net-misc/vde-2.3.2-r4: privilege escalation via init script | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | jmbsvicetto, np-hardass |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=540006 | ||
Whiteboard: | B1 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
vde.init-r1
vde.confd-r1 |
Description
Michael Orlitzky
2016-12-21 21:08:36 UTC
@mjo: Please keep in mind that assigning aliases to CC on security related bug reports does not grant anyone access, and as such should not be used. For the rest of the report, please see also bug 540006 for similar hardening in checkpath which mitigates this attack as well as includes discussion on the kernel mitigation in gentoo-sources for this attack Created attachment 489566 [details]
vde.init-r1
Created attachment 489568 [details]
vde.confd-r1
Here are two reworked init.d/conf.d files that I think do the right thing, and a lot cleaner (and without this vulnerability).
Can the maintainer please take a look? I'm not a user of vde myself so I may have missed something subtle.
It looks like this got new maintainers since I filed the bug. Jorge, please see if my init script could work. commit 6f1fcfa83b146bdca6c5def233e63c14a0c89d7d (HEAD -> master, origin/master, origin/HEAD) Author: NP-Hardass <NP-Hardass@gentoo.org> Date: Wed Sep 20 18:04:09 2017 -0400 profiles: base/package.use.mask package.mask: Drop net-misc/vde masks Acked-By: mjo@gentoo.org Bug: https://bugs.gentoo.org/603382 commit 26fdd489e493639d3ecc5bfb58175cb04828c15b Author: NP-Hardass <NP-Hardass@gentoo.org> Date: Wed Sep 20 17:57:57 2017 -0400 net-misc/vde: Drop vulnerable versions Bug: https://bugs.gentoo.org/603382 Package-Manager: Portage-2.3.8, Repoman-2.3.3 commit bd4f1fb99926525dd935c37f4ec35fd963d43e4a Author: NP-Hardass <NP-Hardass@gentoo.org> Date: Wed Sep 20 17:57:05 2017 -0400 net-misc/vde: 2.3.2-r4 stable for amd64, x86 Package-Manager: Portage-2.3.8, Repoman-2.3.3 commit 487449d882b95ff9d88657746ee835553e461a27 Author: NP-Hardass <NP-Hardass@gentoo.org> Date: Wed Sep 20 17:48:21 2017 -0400 net-misc/vde: Revbump to 2.3.2-r4, EAPI bump Acked-By: mjo@gentoo.org Bug: https://bugs.gentoo.org/603382 Package-Manager: Portage-2.3.8, Repoman-2.3.3 Only waiting on a ppc stabilization to bring it back to where it was, pre-mask This is all good (thanks to np-hardass), can it please be made public so that I can reference it in the CVE request? (In reply to Michael Orlitzky from comment #6) > This is all good (thanks to np-hardass), can it please be made public so > that I can reference it in the CVE request? Ping =) (In reply to NP-Hardass from comment #5) > commit 6f1fcfa83b146bdca6c5def233e63c14a0c89d7d (HEAD -> master, > origin/master, origin/HEAD) > Author: NP-Hardass <NP-Hardass@gentoo.org> > Date: Wed Sep 20 18:04:09 2017 -0400 > > profiles: base/package.use.mask package.mask: Drop net-misc/vde masks > > Acked-By: mjo@gentoo.org > Bug: https://bugs.gentoo.org/603382 > > commit 26fdd489e493639d3ecc5bfb58175cb04828c15b > Author: NP-Hardass <NP-Hardass@gentoo.org> > Date: Wed Sep 20 17:57:57 2017 -0400 > > net-misc/vde: Drop vulnerable versions > > Bug: https://bugs.gentoo.org/603382 > Package-Manager: Portage-2.3.8, Repoman-2.3.3 > > commit bd4f1fb99926525dd935c37f4ec35fd963d43e4a > Author: NP-Hardass <NP-Hardass@gentoo.org> > Date: Wed Sep 20 17:57:05 2017 -0400 > > net-misc/vde: 2.3.2-r4 stable for amd64, x86 > > Package-Manager: Portage-2.3.8, Repoman-2.3.3 > > commit 487449d882b95ff9d88657746ee835553e461a27 > Author: NP-Hardass <NP-Hardass@gentoo.org> > Date: Wed Sep 20 17:48:21 2017 -0400 > > net-misc/vde: Revbump to 2.3.2-r4, EAPI bump > > Acked-By: mjo@gentoo.org > Bug: https://bugs.gentoo.org/603382 > Package-Manager: Portage-2.3.8, Repoman-2.3.3 > > Only waiting on a ppc stabilization to bring it back to where it was, > pre-mask I should clarify that we dropped stable keywords for ppc in the interim. We shouldn't be waiting on anything to move forward, AFAICT. This was assigned CVE-2017-16638 so I think it's ready for security@ to finish up. CVE-2017-16638 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16638): The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script. @maintainer(s), proceed with stable-bot for: =net-misc/vde: Revbump to 2.3.2-r4 @security, Summary changed. Whiteboard changed. Severity changed. Vote changed. Personally have never used package either. Change set attributes to object. Gentoo Security Padawan: (jmbailey/mbailey_j) Thank you all, New GLSA Request filled. This issue was resolved and addressed in GLSA 201711-11 at https://security.gentoo.org/glsa/201711-11 by GLSA coordinator Christopher Diaz Riveros (chrisadr). |