Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 626654 (CVE-2017-11746)

Summary: <app-admin/tenshi-0.17: local privilege traversal through tenshi.pid
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: atj, bldewolf, mjo, proxy-maint
Priority: Low Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/inversepath/tenshi/issues/6
Whiteboard: B2 [glsa+ cve]
Package list:
=app-admin/tenshi-0.17
Runtime testing required: ---
Attachments:
Description Flags
tenshi-0.16.ebuild
none
tenshi-0.16.ebuild none

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-30 20:01:33 UTC
From URL:

Description: Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a “kill `cat /pathname/tenshi.pid`” command.
Comment 1 Michael Orlitzky gentoo-dev 2017-08-17 13:44:50 UTC
Created attachment 489380 [details]
tenshi-0.16.ebuild

This also fixes bug 611082, but there's one annoying issue with some missing files in the tarball. I'll report it upstream in a second. Proxy maintainers please review.
Comment 2 Michael Orlitzky gentoo-dev 2017-08-17 14:01:16 UTC
Created attachment 489382 [details]
tenshi-0.16.ebuild

Ok, the missing files got fixed in about 30 seconds. Here's a new version with no caveats.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 14:04:04 UTC
Thanks, please let us know when you are ready for stabilization or call it yourself. 

Gentoo Security Padawan 
ChrisADR
Comment 4 Michael Orlitzky gentoo-dev 2017-08-29 10:12:03 UTC
Maintainers? I'm happy to fix this myself.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-29 16:05:08 UTC
(In reply to Michael Orlitzky from comment #4)
> Maintainers? I'm happy to fix this myself.

It's been almost a month since the report and no answer from maintainers,
CCing proxy-maint to let them know the situation.


@Michael if no answer in the next 2 or 3 days, could you please ensure that is ready for stabilization?

Thanks

Gentoo Security Padawan
ChrisADR
Comment 6 Michael Orlitzky gentoo-dev 2017-08-29 17:45:09 UTC
I don't use tenshi myself -- I discovered the bug by accident -- so let's try this: I just committed v0.16 to the tree as ~arch. If no one files any bugs in the next few days and the maintainers don't speak up, just proceed with stabilization and I'll clean up afterwards.
Comment 7 Brian De Wolf 2017-08-31 00:23:35 UTC
I tested out 0.16 and noticed that it was starting tail as root instead of the tenshi user.  It looks like the changes done to move the pidfile creation before dropping privs also made everything else occur before dropping privs.  This has some unfortunate consequences, since the program tenshi calls for tail can be specified in the config and the ebuild installs the config as writable to the tenshi user.

I've made a pull request with a potential fix:
https://github.com/inversepath/tenshi/pull/9
Comment 8 Michael Orlitzky gentoo-dev 2017-08-31 00:58:15 UTC
(In reply to Brian De Wolf from comment #7)
> the ebuild installs the config as writable to the tenshi user.

Hey, you found another root exploit =)

The "tenshi" user can not only write whatever he wants for the "tail" command, but he can put "set uid root" into tenshi.conf to gain root the next time the daemon starts (because it will run his "tail" command as root).

I made a tenshi-0.16-r1 that leaves tenshi.conf owned by root:root. Thanks!
Comment 9 Thomas Deutschmann gentoo-dev 2017-10-19 12:01:16 UTC
x86 stable
Comment 10 Michael Orlitzky gentoo-dev 2017-10-19 12:32:39 UTC
The fix for this isn't quite complete in ::gentoo, Brian has another commit upstream that is needed. I've pinged the maintainer to see if we can't get a v0.17 tagged; otherwise, I can always do an -r2 with Brian's patch.
Comment 11 Larry the Git Cow gentoo-dev 2017-10-19 13:56:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bd4d65f8d6bef1f6562c25c77f0bd1a3ca8bce4

commit 7bd4d65f8d6bef1f6562c25c77f0bd1a3ca8bce4
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2017-10-19 13:55:13 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2017-10-19 13:55:13 +0000

    app-admin/tenshi: new version 0.17.
    
    This version completes the fix for the vulnerable PID file handling
    reported in bug 626654. Thanks to the proxy maintainer Brian De Wolf
    for making sure that this was fixed correctly upstream.
    
    Bug: https://bugs.gentoo.org/626654
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 app-admin/tenshi/Manifest           |  1 +
 app-admin/tenshi/tenshi-0.17.ebuild | 47 +++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)}
Comment 12 Thomas Deutschmann gentoo-dev 2017-10-19 14:29:28 UTC
So let's wait a few days until we restart stabilization.
Comment 13 Thomas Deutschmann gentoo-dev 2017-10-19 14:31:14 UTC
(In reply to Michael Orlitzky from comment #8)
> (In reply to Brian De Wolf from comment #7)
> > the ebuild installs the config as writable to the tenshi user.
> 
> Hey, you found another root exploit =)
> 
> The "tenshi" user can not only write whatever he wants for the "tail"
> command, but he can put "set uid root" into tenshi.conf to gain root the
> next time the daemon starts (because it will run his "tail" command as root).
> 
> I made a tenshi-0.16-r1 that leaves tenshi.conf owned by root:root. Thanks!

Was this a Gentoo-only vulnerability or was it an upstream bug so we should get a CVE?
Comment 14 Michael Orlitzky gentoo-dev 2017-10-19 14:56:36 UTC
(In reply to Thomas Deutschmann from comment #13)
> 
> Was this a Gentoo-only vulnerability or was it an upstream bug so we should
> get a CVE?

Check the title bar of your web browser =)
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-23 01:51:52 UTC
@arches, please stabilize.
Comment 16 Agostino Sarubbo gentoo-dev 2018-01-23 16:42:11 UTC
amd64 stable
Comment 17 Thomas Deutschmann gentoo-dev 2018-01-26 18:22:39 UTC
x86 stable
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-03 21:27:16 UTC
ppc stable
Comment 19 Johannes Huber gentoo-dev 2018-04-17 19:17:03 UTC
Cleanup done by treecleaners.
Comment 20 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-18 00:36:08 UTC
GLSA request filed
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2018-04-22 22:38:28 UTC
This issue was resolved and addressed in
 GLSA 201804-18 at https://security.gentoo.org/glsa/201804-18
by GLSA coordinator Aaron Bauman (b-man).