Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 602492 - <sys-devel/icecream-1.3.1: root privilege escalation
Summary: <sys-devel/icecream-1.3.1: root privilege escalation
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-13 02:59 UTC by Michael Orlitzky
Modified: 2021-12-21 04:21 UTC (History)
19 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-13 02:59:30 UTC
The init script for sys-devel/icecream does...

  [[ ! -d /var/log/icecream/ ]] && \
    mkdir -p /var/log/icecream/ && \
    chown icecream:icecream /var/log/icecream/

after which the /var/log/icecream directory is owned by its user. Then, it does

  local slogfile=${ICECREAM_SCHEDULER_LOG_FILE:-"/var/log/icecc_scheduler"}
  touch ${slogfile} && chown icecream:icecream ${slogfile}

Now, the shell default value there is safe, but the conf.d file that we install has

  ICECREAM_SCHEDULER_LOG_FILE="/var/log/icecream/scheduler"

which is under the directory owned by icecream:icecream. To gain root, the icecream user can replace that log file by a symlink to something important (this works because he owns the directory that contains it). The next time the icecream service is started, that important thing will get chowned to icecream:icecream.

p.s. the init script should be POSIX shell, not bash =)
Comment 1 Michael Orlitzky gentoo-dev 2016-12-13 18:17:32 UTC
As we discovered over in bug #602550, users of vanilla-sources (and others) are vulnerable to the same attack using hard links, so simply adding "--no-dereference" to the "chown" call is not enough to fix this.
Comment 2 Michael Orlitzky gentoo-dev 2017-09-30 19:45:31 UTC
I think 9 months is a fair embargo period, can this please be made public so that I can reference it in a CVE request?
Comment 3 Michael Orlitzky gentoo-dev 2018-03-10 22:09:08 UTC
Ping? =o
Comment 4 Michael Orlitzky gentoo-dev 2019-09-14 16:37:08 UTC
Nobody's home, CCing mgorny for treeclean.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:17 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:00 UTC
unrestricting per bug 705894
Comment 7 Lucas Yamanishi 2020-05-26 18:04:43 UTC
Fix submitted here: https://github.com/gentoo/gentoo/pull/15975
Comment 8 Michael Orlitzky gentoo-dev 2020-05-26 18:23:24 UTC
(In reply to Lucas Yamanishi from comment #7)
> Fix submitted here: https://github.com/gentoo/gentoo/pull/15975

Sadly this just trades one root exploit for another, because there's a 2.5-year-old root exploit in our default init system that affects your tmpfiles "Z" entry:

  https://github.com/OpenRC/opentmpfiles/issues/3

That's never going to get fixed under the current management, so you should find a way to avoid "Z" entries (and nested "d" or "f" entries) if possible.
Comment 9 Lucas Yamanishi 2020-05-26 20:34:23 UTC
Ah, I copied that file from SuSE without looking at it.  It seems most of these were introduced there.  I've pushed a change to fix it using "d" with an age field.
Comment 10 Larry the Git Cow gentoo-dev 2021-12-21 04:19:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b133beeb3fd21ef368c3fe9b8b05b026ec5cd562

commit b133beeb3fd21ef368c3fe9b8b05b026ec5cd562
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-21 04:10:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-21 04:19:19 +0000

    sys-devel/icecream: update EAPI 7 -> 8, post-review fixes
    
    - Use EAPI 8
    - Use conventional double quotes everywhere
    - Unconditionally install systemd units (see small files policy)
    - Adapt pkg_* for EAPI 7+ (${ROOT} suffix)
    - Style changes (place eclass variables before inherit in general, whitespace)
    - Drop unnecessary econf arg (--enable-fast-install)
    - Add missing dependencies (libarchive, lzo)
    
    Bug: https://bugs.gentoo.org/602492
    Closes: https://bugs.gentoo.org/527376
    Closes: https://bugs.gentoo.org/642674
    Closes: https://bugs.gentoo.org/828135
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-devel/icecream/icecream-1.3.1.ebuild | 64 +++++++++++++++-----------------
 1 file changed, 29 insertions(+), 35 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a857ea599201b42ab12a2919badfd7b34997cbbb

commit a857ea599201b42ab12a2919badfd7b34997cbbb
Author:     Lucas Yamanishi <lucas.yamanishi@gmail.com>
AuthorDate: 2020-05-26 17:58:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-21 04:19:18 +0000

    sys-devel/icecream: Bump to 1.3.1, various fixes
    
    * Fixes bug #602492
    * Adds systemd support
    * Installs firewalld service files
    
    Bug: https://bugs.gentoo.org/602492
    Closes: https://bugs.gentoo.org/527376
    Closes: https://bugs.gentoo.org/642674
    Closes: https://github.com/gentoo/gentoo/pull/15975
    Signed-off-by: Lucas Yamanishi <lucas.yamanishi@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-devel/icecream/Manifest                      |  1 +
 sys-devel/icecream/files/icecc-scheduler.service | 12 ++++
 sys-devel/icecream/files/iceccd.service          | 12 ++++
 sys-devel/icecream/files/icecream-tmpfiles.conf  |  2 +
 sys-devel/icecream/files/icecream.openrc         | 55 +++++++++++++++
 sys-devel/icecream/icecream-1.3.1.ebuild         | 85 ++++++++++++++++++++++++
 6 files changed, 167 insertions(+)