Summary: | mail-filter/spamass-milter: privilege escalation via PID file manipulation | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | minor | CC: | maintainer-needed, net-mail+disabled, tb, treecleaner | ||||||||
Priority: | Normal | Keywords: | PMASKED | ||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | B3 [noglsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Deadline: | 2019-05-24 | ||||||||||
Attachments: |
|
Created attachment 494528 [details]
spamass-milter.conf4
Created attachment 494530 [details]
spamass-milter.rc5
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c3b2530968d44c5e46fad371b300bd643e1e934 commit 8c3b2530968d44c5e46fad371b300bd643e1e934 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-04-24 12:49:05 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-24 12:50:13 +0000 package.mask: Last rite mail-filter/spamass-milter Bug: https://bugs.gentoo.org/630986 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30a7ed2d867921b830e8f2329519fdb34ab9cb5f commit 30a7ed2d867921b830e8f2329519fdb34ab9cb5f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-05-28 13:32:15 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-05-28 13:32:41 +0000 mail-filter/spamass-milter: Remove last-rited pkg Bug: https://bugs.gentoo.org/630986 Signed-off-by: Michał Górny <mgorny@gentoo.org> mail-filter/spamass-milter/Manifest | 1 - mail-filter/spamass-milter/files/README.gentoo | 52 ------------ .../files/spamass-milter-auth_users.patch | 92 ---------------------- .../spamass-milter/files/spamass-milter.conf3 | 29 ------- .../spamass-milter/files/spamass-milter.rc4 | 54 ------------- mail-filter/spamass-milter/metadata.xml | 5 -- .../spamass-milter/spamass-milter-0.3.2.ebuild | 41 ---------- profiles/package.mask | 7 -- 8 files changed, 281 deletions(-) Removed over a year ago so no GLSA, tree is clean, closing. |
Created attachment 494526 [details] spamass-milter.rc5 The init script for spamass-milter gives ownership of its PID file directory to the daemon's runtime user: checkconfig() { if [ ! -d ${piddir:=/var/run/milter} ]; then checkpath -q -d -o milter:milter -m 0755 ${piddir} || return 1 fi This can be exploited by the "milter" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of that file. I've rewritten the init script to work around this. The spamass-milter can't drop privileges on its own, so instead of using the daemon-created PID file, I had the daemon run in the foreground and let OpenRC manage the PID file at /run/spamass-milter.pid. I also cleaned up the socket code and the retry/wait stuff during start/stop. I've restarted the daemon a bunch of times with no problem. If it's all the same, I would also suggest that we make the $SOCKET path something like /run/milter/${RC_SVCNAME}.sock (which happens to be the default, anyway). The fact that we change ownership of the directory containing that variable is a little sneaky, and could mess up users' systems if they put e.g. SOCKET=/run/foo.sock. If the value was fixed at SOCKET=/run/milter/${RC_SVCNAME}.sock, then we could hard code the "checkpath" call to affect /run/milter.