| Summary: | net-proxy/wwwoffle: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | mgorny, security-audit |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
No maintainer, no upstream release in 3+ years, open security bugs... treeclean! Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 |
The wwwoffle ebuild calls "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { ... chown -R wwwoffle:wwwoffle "${ROOT}/var/spool/wwwoffle" ... This can be exploited by the "wwwoffle" user to gain root if he places a hard link to a root-owned file in that directory. The next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's file to the "wwwoffle" user. For example, 1. emerge wwwoffle 2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/wwwoffle/x' wwwoffle 3. emerge wwwoffle 4. /etc/passwd is owned by the "wwwoffle" user I'm marking this private, but the package is maintainer-needed, so security@ will need to find someone appropriate to CC to fix it.