| Summary: | app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security Audit Team <security-audit> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | ahipp0, robbat2 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 691252 | ||
Robin recently announced that this package was up for grabs. Unmaintained and vulnerable are a bad combination -- can we please make this bug public, so that I can reference it in package.mask? Here's the mailing list thread, if anyone is curious: https://archives.gentoo.org/gentoo-dev/message/c43a368ff49d3e8f8c28937db9a700e1 package.mask incoming. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44a0da0e02e234f1d43b1801fe2b6de12b2c6885 commit 44a0da0e02e234f1d43b1801fe2b6de12b2c6885 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2019-08-18 22:59:47 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2019-08-18 23:04:01 +0000 profiles: mask app-misc/dnetc for eventual removal. Bug: https://bugs.gentoo.org/630808 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) I can perhaps step up as a proxy maintainer for dnetc. It's actually has the latest release in-tree already, so just the chown needs to be fixed, I suppose. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=446f997c23defe312ab8e5b386dcef06e01a29f1 commit 446f997c23defe312ab8e5b386dcef06e01a29f1 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-09-14 23:28:34 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-09-14 23:29:59 +0000 app-misc/dnetc: Remove last-rited package Closes: https://bugs.gentoo.org/405521 Closes: https://bugs.gentoo.org/691946 Bug: https://bugs.gentoo.org/630808 Closes: https://bugs.gentoo.org/691252 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-misc/dnetc/Manifest | 6 -- app-misc/dnetc/dnetc-2.9108.517.ebuild | 93 ------------------------------ app-misc/dnetc/dnetc-2.9112.521.ebuild | 100 --------------------------------- app-misc/dnetc/files/dnetc.confd | 18 ------ app-misc/dnetc/files/dnetc.initd | 88 ----------------------------- app-misc/dnetc/metadata.xml | 11 ---- 6 files changed, 316 deletions(-) |
The dnetc ebuilds call chown recursively on the live root filesystem in pkg_postinst: pkg_postinst() { chown -Rf dnetc:dnetc /opt/distributed.net ... The dnetc user can place a hard link in /opt/distributed.net pointing to a sensitive root-owned file, and the next time that dnetc is emerged, that file will be given to the dnetc user. For example, 1. emerge dnetc 2. sudo su -s /bin/sh -c 'ln /etc/passwd /opt/distributed.net/foo' dnetc 3. emerge dnetc 4. the file /etc/passwd is owned by dnetc:dnetc