Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631020 (CVE-2017-14483)

Summary: <dev-python/flower-0.9.1-r1: privilege escalation via PID file manipulation
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cve]
Package list:
=dev-python/flower-0.9.1-r1
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-14 22:24:30 UTC
This init script for flower gives ownership of its PID file directory to the daemon's runtime user:

  start_pre() {
      checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}"
  }

That can be exploited by $user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $user).

Fortunately, the PID file is already created as root:root, so the call to checkpath above is superfluous, and the issue can be fixed by setting,

  pidfile="/run/${RC_SVCNAME}.pid"

and by deleting the start_pre() function entirely.

Some unrelated suggestions:

  1. Change the deprecated $SVCNAME to $RC_SVCNAME
  2. Use command_user instead of --user and --group in start_stop_daemon_args.
  3. One of "need net" and "after net" is redundant.
  4. The ebuild runs,

       fowners ${PN}:${PN} /var/log/${PN}

     but the init script gives you the ability to switch users. If the
     user and group are ever switched, the ownership information on
     /var/log/flower will be wrong. Unless there's a good reason for it,
     I would settle on user=group=flower and leave it unconfigurable.
Comment 1 Zac Medico gentoo-dev 2017-09-14 23:57:40 UTC
Fixed in 0.9.1-r1:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54fcfe2d700b35705ce973ef2dab40212854b3b3

There are no older versions to remove.
Comment 2 Aleksandr Wagner (Kivak) 2017-09-15 01:50:12 UTC
This bug will be kept open for CVE assignment, the CVE has been requested.

Gentoo Security Padawan
Kivak