Bug 767781 (CVE-2019-25016)

Summary:	<app-admin/doas-6.8.1: fails to always reset PATH (CVE-2019-25016)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	felix.janda, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	C1 [glsa+ cve]
Package list:	app-admin/doas-6.8.1-r1	Runtime testing required:	---

Description Sam James archtester

2021-01-28 21:33:47 UTC

"There is an unsafe incomplete reset of PATH in OpenDoas 6.6 through 6.8 when changing the user context."

See https://github.com/Duncaen/OpenDoas/issues/45 for more discussion:

"Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019.

One nuance about this is that the users PATH will be used when executing the first command if the rule allows any command,
so with the rule permit :wheel, PATH=~/bin doas foo will execute foo from ~/bin.
If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo would not execute ~/bin/foo (in this case the reset the PATH variable was already correct before this fix).

This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH.

Users who were allowed to execute anything could change PATH to execute more things from PATH."

Comment 1 Sam James archtester

2021-01-30 04:00:19 UTC

Please bump to 6.8.1.

(NOTE: Provisionally calling it C1, but not super happy with that classification.)

Comment 2 Larry the Git Cow gentoo-dev

2021-01-30 21:37:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd

commit 1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-30 21:37:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-30 21:37:21 +0000

    app-admin/doas: security bump to 6.8.1
    
    Bug: https://bugs.gentoo.org/767781
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/doas/Manifest          |  1 +
 app-admin/doas/doas-6.8.1.ebuild | 51 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

Comment 3 NATTkA bot gentoo-dev

2021-01-30 21:40:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: app-admin/doas-6.8.2

Comment 4 Sam James archtester

2021-02-01 08:26:57 UTC

arm64 done

Comment 5 Sam James archtester

2021-02-01 08:27:33 UTC

arm done

Comment 6 Sam James archtester

2021-02-01 08:29:09 UTC

amd64 done

all arches done

Comment 7 Sam James archtester

2021-02-01 08:29:43 UTC

Please cleanup!

Comment 8 John Helmert III archtester

2021-05-30 15:56:14 UTC

Cleanup done:

commit 30e45562f3aa3d48e64d08fe5db01b39c84e42ca
Author: Joonas Niilola <juippis@gentoo.org>
Date:   Sat Mar 20 09:10:15 2021 +0200

    app-admin/doas: drop 6.0, 6.6.1, 6.8

    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 delete mode 100644 app-admin/doas/doas-6.0.ebuild
 delete mode 100644 app-admin/doas/doas-6.6.1.ebuild
 delete mode 100644 app-admin/doas/doas-6.8.ebuild

Comment 9 John Helmert III archtester

2021-05-30 16:49:52 UTC

New GLSA request filed.

Comment 10 NATTkA bot gentoo-dev

2021-06-30 18:44:36 UTC

Unable to check for sanity:

> no match for package: app-admin/doas-6.8.1

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2021-07-07 08:05:28 UTC

This issue was resolved and addressed in
 GLSA 202107-11 at https://security.gentoo.org/glsa/202107-11
by GLSA coordinator Sam James (sam_c).