| Summary: | <net-misc/apt-cacher-ng-3.5_p3: privilege escalation via PID file manipulation | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | trivial | CC: | ajak, deb-tools+disabled, jer | ||||||
| Priority: | Normal | Keywords: | PullRequest | ||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| See Also: | https://github.com/gentoo/gentoo/pull/19261 | ||||||||
| Whiteboard: | ~3 [noglsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Deadline: | 2020-06-30 | ||||||||
| Attachments: |
|
||||||||
Created attachment 496194 [details]
confd-r1
Maintainer: Ping. (In reply to John Helmert III from comment #2) > Maintainer: Ping. I doubt the maintainer will even reply to this bug. If not, we will last-rite the package soon. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=643ed593c89f5f81e01cd5371cd06ab41b7349a9 commit 643ed593c89f5f81e01cd5371cd06ab41b7349a9 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2021-01-30 05:26:18 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-02-11 08:56:03 +0000 net-misc/apt-cacher-ng: bump to 3.5_p3 Rework so as to not install everything manually in src_install but rely on the build system, clean up src_configure a bit, clean up dependencies, drop useless IUSE=systemd and related dependency, drop user.eclass and depend on acct-{user,group} packages, and update the OpenRC init.d and conf.d files to fix a security bug. These files were written by Michael Orlitzky (mjo). Bug: https://bugs.gentoo.org/631878 Closes: https://bugs.gentoo.org/538214 Closes: https://bugs.gentoo.org/701220 Thanks-to: Michael Orlitzky <mjo@gentoo.org> Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/apt-cacher-ng/Manifest | 2 +- .../apt-cacher-ng/apt-cacher-ng-3.5_p1-r1.ebuild | 129 --------------------- net-misc/apt-cacher-ng/apt-cacher-ng-3.5_p3.ebuild | 97 ++++++++++++++++ net-misc/apt-cacher-ng/files/confd-r2 | 9 ++ net-misc/apt-cacher-ng/files/initd-r3 | 20 ++++ 5 files changed, 127 insertions(+), 130 deletions(-) PR updated acng with a rename, so cleanup done simultaneously with bump. All done. Thanks mjo! |
Created attachment 496192 [details] initd-r2 The apt-cacher-ng init script gives ownership of its PID file directory to its runtime user: RUNDIR="/var/run/${RC_SVCNAME}" PIDFILE="${RUNDIR}/${RC_SVCNAME}.pid" start() { ebegin "Starting ${RC_SVCNAME}" checkpath -d -m 0755 -o ${RC_SVCNAME}:${RC_SVCNAME} "${RUNDIR}" ... That can be exploited by the apt-cacher-ng user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the "apt-cacher-ng" user). I've rewritten the init script to work around the issue, by letting OpenRC create the PID file as root, and by storing it directly in /run. I've also updated some other stuff: 1. Don't use RC_SVCNAME for the $command, since the $command doesn't change if you run multiple instances of apt-cacher-ng. 2. Run apt-cacher-ng in the foreground, and don't have it write a PID file. This was needed to allow OpenRC to manage the PID file securely. 3. Used $retry to eliminate the stop() function. 4. Dropped "use net" and added an rc_need=net.lo line to the conf.d file. This is more semantically correct, since the daemon will start just in its default configuration once net.lo is up. And more importantly, it allows us to place a comment right there, explaining what to do if the user wants to bind to a *particular* interface.