| Summary: | mail-filter/dspam: privilege escalation via PID file manipulation | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | normal | CC: | ajak, maintainer-needed, net-mail+disabled, treecleaner, web-apps | ||||||
| Priority: | Normal | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | B3 [noglsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Attachments: |
|
||||||||
Created attachment 494350 [details]
dspam.confd-r1
CCing treecleaner. This appears to be unmaintained, and hasn't had a maintainer since net-mail@. Related package www-apps/dspam-web has also had an open version bump request since 2013. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d171af00bde657b42eead2f34beab6cc60a72f63 commit d171af00bde657b42eead2f34beab6cc60a72f63 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-04 01:19:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-04 02:43:10 +0000 profiles/package.mask: last-rite mail-filter/dspam Bug: https://bugs.gentoo.org/630884 Bug: https://bugs.gentoo.org/713404 Bug: https://bugs.gentoo.org/707274 Bug: https://bugs.gentoo.org/692436 Bug: https://bugs.gentoo.org/490322 Bug: https://bugs.gentoo.org/626474 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 15 +++++++++++++++ 1 file changed, 15 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=591c43d3d90dd3aa1752e8a90b49cc8467058a4b commit 591c43d3d90dd3aa1752e8a90b49cc8467058a4b Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-04 00:07:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-04 00:09:19 +0000 mail-filter/dspam: remove last-rited pkg Bug: https://bugs.gentoo.org/692436 Bug: https://bugs.gentoo.org/630884 Bug: https://bugs.gentoo.org/626474 Bug: https://bugs.gentoo.org/490322 Bug: https://bugs.gentoo.org/707274 Bug: https://bugs.gentoo.org/713404 Bug: https://bugs.gentoo.org/665910 Bug: https://bugs.gentoo.org/520844 Signed-off-by: Sam James <sam@gentoo.org> mail-filter/dspam/Manifest | 1 - mail-filter/dspam/dspam-3.10.2-r2.ebuild | 221 -------------------- mail-filter/dspam/dspam-3.10.2-r3.ebuild | 223 --------------------- .../dspam-3.10.2-mysql8-my_bool-typedef.patch | 13 -- mail-filter/dspam/files/dspam.confd | 7 - mail-filter/dspam/files/dspam.cron-r4 | 5 - mail-filter/dspam/files/dspam.initd | 44 ---- mail-filter/dspam/files/dspam.logrotate | 10 - mail-filter/dspam/metadata.xml | 35 ---- profiles/package.mask | 1 - 10 files changed, 560 deletions(-) |
Created attachment 494348 [details] dspam.initd-r1 The init script for dspam gives ownership of its PID file directory to the "dspam" user: checkpath -q -d -o dspam:dspam -m 0755 "${PIDDIR}" || return 1 This can be exploited by "dspam" to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of that PID file. I've rewritten the init script to work around this by running in the foreground, and by letting OpenRC push the process into the background and manage its PID file. I'm attaching the init script and conf.d file (which no longer has a PIDFILE setting), but there is one change that needs to be made to the ebuild as well: dspam tries to write its own PID file, even when it's running in the foreground. The default location that it tries to use does not exist, and so the daemon will fail to start unless you change that path. A "sed" or something similar can be used in the ebuild to set ServerPID /tmp/dspam.pid in dspam.conf. That location should exist and be writable on every installation. (The ServerPID is completely ignored, the *real* PID file is managed by OpenRC.)