Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629412 (CVE-2017-18225)

Summary: net-im/jabberd2: system executables owned by non-root user
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/8569
Whiteboard: B1 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-08-31 01:42:49 UTC
The executables installed to /usr/bin by net-im/jabberd2 are owned by the "jabber" user:

  -rwxr-x---   1 jabber    jabber    9.5K 2017-08-30 21:34 jabberd
  -rwxr-x---   1 jabber    jabber    192K 2017-08-30 21:34 jabberd2-c2s
  -rwxr-x---   1 jabber    jabber    160K 2017-08-30 21:34 jabberd2-router
  -rwxr-x---   1 jabber    jabber    180K 2017-08-30 21:34 jabberd2-s2s
  -rwxr-x---   1 jabber    jabber    180K 2017-08-30 21:34 jabberd2-sm

Those are in root's PATH, and could conceivably be run as root during debugging or experimentation. If that ever happens, it's trivial for the "jabber" user to gain root; instead, those should likely all be root:root, or maybe root:jabber if you want to leave them mode 750.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:27:49 UTC
Is this a Gentoo specific issue? it may be good to report upstream about this.

Gentoo Security Padawan
ChrisADR
Comment 2 Michael Orlitzky gentoo-dev 2017-10-06 01:44:03 UTC
The ebuild does,

  fowners jabber:jabber /usr/bin/{jabberd,router,sm,c2s,s2s}

so I doubt it's an upstream issue.
Comment 3 Pacho Ramos gentoo-dev 2017-11-09 13:27:27 UTC
Either ones takes care of deeply reviewing the ebuild and init files (due to other opened bugs affecting them) or this should be treecleaned (there is also a pending security issue revbump in other bug)
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-03 17:21:51 UTC
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6.

Added to an existing GLSA request filed.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-12 11:04:46 UTC
CVE-2017-18225 was assigned for this issue.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:06:56 UTC
This issue was resolved and addressed in
 GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07
by GLSA coordinator Christopher Diaz Riveros (chrisadr).