Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631720 (CVE-2017-14681)

Summary: mail-filter/p3scan: privilege escalation via PID file manipulation
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: net-mail+disabled, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/p/p3scan/bugs/33/
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-22 12:14:34 UTC 
The p3scan daemon creates its PID file after dropping privileges to a non-root user. That may be exploited (through init scripts or other management tools) by the unprivileged user to kill root processes, since when the daemon is stopped, root usually sends a SIGTERM to the contents of the PID file (which are under the control of the runtime user). P3Scan itself ships two init scripts vulnerable to this attack. Our OpenRC init script is also vulnerable.

There is no good workaround for this one, and upstream is dead, so the best we can do is try to verify the PID file data in the init script. You can get the user and program name associated with a PID by,

  ps -p <pid> -o user=

and

  ps -p <pid> -o comm=

The output of those commands can be checked against the expected values before signaling the process.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 17:24:45 UTC 
@Maintainers please let us know when the fix is added to our ebuild.

Thank you
Comment 2 Michael Orlitzky gentoo-dev 2018-01-06 17:08:44 UTC 
Is anyone still using this? In my little corner of the mail world, the concept of a POP3 proxy is pretty outdated, and upstream has been dead for a while. The latest release was 3.0_rc1 in 2008. If no one cares, we can just treeclean it.
Comment 3 Pacho Ramos gentoo-dev 2018-04-29 17:25:11 UTC 
removed