| Summary: | net-im/openfire: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | maintainer-needed, security-audit |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The ".*confidential.*" red text does not actually say on the next step for this issue. Should I attach ebuild fix once I get it ready here or someone else already actively handling it? (In reply to Sergei Trofimovich from comment #1) > The ".*confidential.*" red text does not actually say on the next step for > this issue. > > Should I attach ebuild fix once I get it ready here or someone else > already actively handling it? Just fix it and post here when you're done =) There's nothing special about the private bug, I was just asked to mark these sorts of issues private until they're fixed. This issue should be fixed in the -r2. I just reordered things so that it's not necessary to call chown/chmod at any point. @security, we should open up this bug and ask the arch teams to test it. Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 pkg is no longer in tree. |
The openfire ebulds call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { ... chown -R jabber:jabber "${ROOT}"/opt/openfire } This can be exploited by the "jabber" user to gain root, if he places a hard link to a root-owned file in /opt/openfire. The next time the package is upgraded or reinstalled, the "chown -R" will give root's file to the "jabber" user. For example, 1. emerge openfire 2. su -s /bin/sh -c 'ln /etc/passwd /opt/openfire/x' jabber 3. emerge openfire 4. /etc/passwd is owned by jabber:jabber