Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630900

Summary: mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security Audit Team <security-audit>
Status: RESOLVED OBSOLETE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-13 16:20:48 UTC
The anomy-sanitizer ebuild calls "chown -R" in pkg_postinst:

  pkg_postinst() {
      chown -R sanitizer:sanitizer "${ROOT}"/${SANI_WORKDIR}

The "sanitizer" user can exploit this to gain root by placing a link in SANI_WORKDIR. For example,

  1. emerge anomy-sanitizer
  2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/sanitizer/x' sanitizer
  3. emerge anomy-sanitizer
  4. /etc/passwd is owned by "sanitizer"

I'm marking this private but the package is maintainer-needed, so security@ please CC someone who might want to fix it.
Comment 1 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-04-21 10:40:41 UTC
The package has been removed.