Bug 751415 (CVE-2017-18925)

Summary:	sys-apps/opentmpfiles: Root privilege escalation (mishandling of 'd' entries) (CVE-2017-18925)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED OBSOLETE
Severity:	major	CC:	azat, dan, filip.ambroz, kfm, marcoep, mjo, ms, openrc, sandino, williamh
Priority:	Normal	Keywords:	PMASKED
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/OpenRC/opentmpfiles/issues/4
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=647752 https://bugs.gentoo.org/show_bug.cgi?id=647796 https://bugs.gentoo.org/show_bug.cgi?id=755983
Whiteboard:	B1 [upstream]
Package list:		Runtime testing required:	---
Bug Depends on:	751652
Bug Blocks:

Description Sam James archtester

2020-10-27 01:42:56 UTC

Description:
"opentmpfiles through 0.3.1 allows local users to take ownership of arbitrary files because d entries are mishandled and allow a symlink attack."

Notes:
* This IS the opentmpfiles equivalent of bug 647796.
* This isn't the same as bug 647752 which is mostly mitigated by the baselayout change (sysctl).

Comment 1 filip ambroz 2020-10-27 09:00:43 UTC

*** Bug 751427 has been marked as a duplicate of this bug. ***

Comment 2 Michael Orlitzky gentoo-dev

2020-10-27 19:08:36 UTC

More information: http://michael.orlitzky.com/cves/cve-2017-18925.xhtml

Comment 3 Larry the Git Cow gentoo-dev

2020-10-29 06:42:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9be32a62cbaaf4c629dee12d6264b80799e7cb25

commit 9be32a62cbaaf4c629dee12d6264b80799e7cb25
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-29 06:41:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-29 06:41:47 +0000

    virtual/tmpfiles: add systemd-tmpfiles standalone provider
    
    Bug: https://bugs.gentoo.org/751415
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/tmpfiles/tmpfiles-0.ebuild | 1 +
 1 file changed, 1 insertion(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0127bd04e1966c212b541d0a6e2fdcb9f5a7251e

commit 0127bd04e1966c212b541d0a6e2fdcb9f5a7251e
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-29 06:39:57 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-29 06:41:46 +0000

    sys-apps/systemd-tmpfiles: add ~amd64 ~arm64 ~ppc64 keywords
    
    Bug: https://bugs.gentoo.org/751415
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 William Hubbs gentoo-dev

2020-10-30 15:33:51 UTC

I think that since systemd-tmpfiles uses a lot of systemd code, there is
a chance it won't work for musl.

Comment 5 davidf4 2021-07-08 21:18:34 UTC

Due to the ongoing objections by some to anything related to systemd, may I suggest that the "masked" message be appended to note that even the authors of OpenTmpFiles recommend shifting to this package due to the lack of progress resolving the bug in their package?

I was able to research and find the note in their "issues" section so I'll go ahead and unmask this particular systemd package.

Thanks,

Comment 6 davidf4 2021-07-08 21:20:08 UTC

> I was able to research and find the note in their "issues" section so I'll
> go ahead and unmask this particular systemd package.

Make that "unmask on my personal system".  I'm not going to commit anything to the overall Gentoo ecosystem...

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:25:34 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 17:42:00 UTC

Package list is empty or all packages have requested keywords.

Comment 9 Hans de Graaff gentoo-dev

2023-10-19 15:13:48 UTC

This package has been removed.