Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630920

Summary: net-proxy/wwwoffle: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, security-audit, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-13 18:30:24 UTC 
The wwwoffle ebuild calls "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      ...
      chown -R wwwoffle:wwwoffle "${ROOT}/var/spool/wwwoffle" ...

This can be exploited by the "wwwoffle" user to gain root if he places a hard link to a root-owned file in that directory. The next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's file to the "wwwoffle" user. For example,

  1. emerge wwwoffle
  2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/wwwoffle/x' wwwoffle
  3. emerge wwwoffle
  4. /etc/passwd is owned by the "wwwoffle" user

I'm marking this private, but the package is maintainer-needed, so security@ will need to find someone appropriate to CC to fix it.
Comment 1 Michael Orlitzky gentoo-dev 2019-09-14 16:43:32 UTC 
No maintainer, no upstream release in 3+ years, open security bugs... treeclean!
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:19 UTC 
Unrestricting and reassigning to security@ per bug #705894
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:16 UTC 
unrestricting per bug 705894
Comment 4 John Helmert III gentoo-dev Security 2021-01-06 06:59:26 UTC 
CCing treecleaner as previously suggested
Comment 5 Larry the Git Cow gentoo-dev 2021-04-17 19:20:24 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dee948f4fb57a4f6bcc4457bcf9751a7345d4ba

commit 3dee948f4fb57a4f6bcc4457bcf9751a7345d4ba
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-04-17 19:10:50 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-04-17 19:19:39 +0000

    net-proxy/wwwoffle: drop old version
    
    Closes: https://bugs.gentoo.org/630920
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-proxy/wwwoffle/wwwoffle-2.9i-r1.ebuild | 107 -----------------------------
 1 file changed, 107 deletions(-)