| Summary: | mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security Audit Team <security-audit> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The package has been removed. |
The anomy-sanitizer ebuild calls "chown -R" in pkg_postinst: pkg_postinst() { chown -R sanitizer:sanitizer "${ROOT}"/${SANI_WORKDIR} The "sanitizer" user can exploit this to gain root by placing a link in SANI_WORKDIR. For example, 1. emerge anomy-sanitizer 2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/sanitizer/x' sanitizer 3. emerge anomy-sanitizer 4. /etc/passwd is owned by "sanitizer" I'm marking this private but the package is maintainer-needed, so security@ please CC someone who might want to fix it.