|Summary:||<app-admin/tenshi-0.17: local privilege traversal through tenshi.pid|
|Product:||Gentoo Security||Reporter:||Christopher Díaz Riveros (RETIRED) <chrisadr>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||trivial||CC:||atj, bldewolf, mjo, proxy-maint|
|Whiteboard:||B2 [glsa+ cve]|
|Runtime testing required:||---|
Description Christopher Díaz Riveros (RETIRED) 2017-07-30 20:01:33 UTC
From URL: Description: Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a “kill `cat /pathname/tenshi.pid`” command.
Comment 1 Michael Orlitzky 2017-08-17 13:44:50 UTC
Created attachment 489380 [details] tenshi-0.16.ebuild This also fixes bug 611082, but there's one annoying issue with some missing files in the tarball. I'll report it upstream in a second. Proxy maintainers please review.
Comment 2 Michael Orlitzky 2017-08-17 14:01:16 UTC
Created attachment 489382 [details] tenshi-0.16.ebuild Ok, the missing files got fixed in about 30 seconds. Here's a new version with no caveats.
Comment 3 Christopher Díaz Riveros (RETIRED) 2017-08-17 14:04:04 UTC
Thanks, please let us know when you are ready for stabilization or call it yourself. Gentoo Security Padawan ChrisADR
Comment 4 Michael Orlitzky 2017-08-29 10:12:03 UTC
Maintainers? I'm happy to fix this myself.
Comment 5 Christopher Díaz Riveros (RETIRED) 2017-08-29 16:05:08 UTC
(In reply to Michael Orlitzky from comment #4) > Maintainers? I'm happy to fix this myself. It's been almost a month since the report and no answer from maintainers, CCing proxy-maint to let them know the situation. @Michael if no answer in the next 2 or 3 days, could you please ensure that is ready for stabilization? Thanks Gentoo Security Padawan ChrisADR
Comment 6 Michael Orlitzky 2017-08-29 17:45:09 UTC
I don't use tenshi myself -- I discovered the bug by accident -- so let's try this: I just committed v0.16 to the tree as ~arch. If no one files any bugs in the next few days and the maintainers don't speak up, just proceed with stabilization and I'll clean up afterwards.
Comment 7 Brian De Wolf 2017-08-31 00:23:35 UTC
I tested out 0.16 and noticed that it was starting tail as root instead of the tenshi user. It looks like the changes done to move the pidfile creation before dropping privs also made everything else occur before dropping privs. This has some unfortunate consequences, since the program tenshi calls for tail can be specified in the config and the ebuild installs the config as writable to the tenshi user. I've made a pull request with a potential fix: https://github.com/inversepath/tenshi/pull/9
Comment 8 Michael Orlitzky 2017-08-31 00:58:15 UTC
(In reply to Brian De Wolf from comment #7) > the ebuild installs the config as writable to the tenshi user. Hey, you found another root exploit =) The "tenshi" user can not only write whatever he wants for the "tail" command, but he can put "set uid root" into tenshi.conf to gain root the next time the daemon starts (because it will run his "tail" command as root). I made a tenshi-0.16-r1 that leaves tenshi.conf owned by root:root. Thanks!
Comment 9 Thomas Deutschmann 2017-10-19 12:01:16 UTC
Comment 10 Michael Orlitzky 2017-10-19 12:32:39 UTC
The fix for this isn't quite complete in ::gentoo, Brian has another commit upstream that is needed. I've pinged the maintainer to see if we can't get a v0.17 tagged; otherwise, I can always do an -r2 with Brian's patch.
Comment 11 Larry the Git Cow 2017-10-19 13:56:09 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bd4d65f8d6bef1f6562c25c77f0bd1a3ca8bce4 commit 7bd4d65f8d6bef1f6562c25c77f0bd1a3ca8bce4 Author: Michael Orlitzky <firstname.lastname@example.org> AuthorDate: 2017-10-19 13:55:13 +0000 Commit: Michael Orlitzky <email@example.com> CommitDate: 2017-10-19 13:55:13 +0000 app-admin/tenshi: new version 0.17. This version completes the fix for the vulnerable PID file handling reported in bug 626654. Thanks to the proxy maintainer Brian De Wolf for making sure that this was fixed correctly upstream. Bug: https://bugs.gentoo.org/626654 Package-Manager: Portage-2.3.8, Repoman-2.3.3 app-admin/tenshi/Manifest | 1 + app-admin/tenshi/tenshi-0.17.ebuild | 47 +++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+)}
Comment 12 Thomas Deutschmann 2017-10-19 14:29:28 UTC
So let's wait a few days until we restart stabilization.
Comment 13 Thomas Deutschmann 2017-10-19 14:31:14 UTC
(In reply to Michael Orlitzky from comment #8) > (In reply to Brian De Wolf from comment #7) > > the ebuild installs the config as writable to the tenshi user. > > Hey, you found another root exploit =) > > The "tenshi" user can not only write whatever he wants for the "tail" > command, but he can put "set uid root" into tenshi.conf to gain root the > next time the daemon starts (because it will run his "tail" command as root). > > I made a tenshi-0.16-r1 that leaves tenshi.conf owned by root:root. Thanks! Was this a Gentoo-only vulnerability or was it an upstream bug so we should get a CVE?
Comment 14 Michael Orlitzky 2017-10-19 14:56:36 UTC
(In reply to Thomas Deutschmann from comment #13) > > Was this a Gentoo-only vulnerability or was it an upstream bug so we should > get a CVE? Check the title bar of your web browser =)
Comment 15 Aaron Bauman 2018-01-23 01:51:52 UTC
@arches, please stabilize.
Comment 16 Agostino Sarubbo 2018-01-23 16:42:11 UTC
Comment 17 Thomas Deutschmann 2018-01-26 18:22:39 UTC
Comment 18 Sergei Trofimovich (RETIRED) 2018-03-03 21:27:16 UTC
Comment 19 Johannes Huber 2018-04-17 19:17:03 UTC
Cleanup done by treecleaners.
Comment 20 Aaron Bauman 2018-04-18 00:36:08 UTC
GLSA request filed