Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 602588 - <sys-apps/man-db-2.7.6.1-r2: privilege escalation
Summary: <sys-apps/man-db-2.7.6.1-r2: privilege escalation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.nongnu.org/archive/html...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-13 23:26 UTC by Ian Zimmerman
Modified: 2018-07-29 22:25 UTC (History)
2 users (show)

See Also:
Package list:
=sys-apps/man-db-2.7.6.1-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-12-13 23:26:27 UTC
Two privilege escalation issues have been fixed by the newest upstream release of man-db, namely man-db-2.7.6.

The problem descriptions are here:

http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

Of these, the first one *may* be specific to Debian.  The second one is definitely relevant to gentoo as well; moreover, I feel that it is a problem that gentoo (unlike Debian) supports no way of removing setuid/setgid bits on man-db related files completely.  These bits seem to exist for only one purpose: on the fly generation of preformatted cat pages, something not needed by the vast majority of modern installations.


Reproducible: Always
Comment 1 Ian Zimmerman 2016-12-13 23:27:37 UTC
Debian bug report, for tracking the fix:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840357
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-15 00:31:47 UTC
This is _not_ CVE-2015-1336 which was handled in bug 568968.


@ Maintainer(s): Can we stabilize =sys-apps/man-db-2.7.6.1-r1?
Comment 3 SpanKY gentoo-dev 2016-12-15 14:56:46 UTC
it is not ready to go stable

that said, this bug isn't exactly a high priority.  it's an escalation from the "man" user which itself is not directly accessible.  so while we should fix it, it's not like people can abuse this w/out some other bug.
Comment 4 Thomas Deutschmann gentoo-dev Security 2016-12-15 16:20:57 UTC
The severity is based on the B1 rating which is defined at https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

It is B rated because the package isn't present on at least 1/20 Gentoo installs, however its default installation is affected.
It is 1 rated because in the end it is allowing root compromise once you have local access.
The fact that the man user isn't directly accessible doesn't affect security rating. Our rating maybe isn't perfect but until we a have a better policy we have to follow the current policy in place.
Comment 5 SpanKY gentoo-dev 2016-12-15 16:51:16 UTC
(In reply to Thomas Deutschmann from comment #4)

how you want to manage the ratings is fine -- that doesn't matter to me.  i'm just saying that this isn't a high priority to get fix & stabilized because of its real world impact (or lack there of).
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-01-09 19:03:01 UTC
@ Arches,

please test and mark stable: =sys-apps/man-db-2.7.6.1-r1
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-10 14:56:41 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-10 15:25:21 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-11 10:52:28 UTC
sparc stable
Comment 10 Markus Meier gentoo-dev 2017-01-13 16:56:40 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-15 16:04:35 UTC
ppc stable
Comment 12 Tobias Klausmann gentoo-dev 2017-01-15 22:20:52 UTC
Stable on alpha.
Comment 13 Jeroen Roovers gentoo-dev 2017-01-17 00:05:59 UTC
Stable for HPPA.
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-17 14:40:09 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:42 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Lars Wendler (Polynomial-C) gentoo-dev 2017-01-18 16:06:06 UTC
commit e91b4b2dc9092134cc73fb81b9cacdfa46cce477
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Jan 18 17:02:09 2017

    sys-apps/man-db: Security cleanup (bug #602588).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 17 Thomas Deutschmann gentoo-dev Security 2017-01-18 17:01:05 UTC
New GLSA request filed.
Comment 18 Thomas Deutschmann gentoo-dev Security 2017-02-16 19:17:42 UTC
@ Maintainer(s): While writing the GLSA I re-read upstream changes (from $URL) and noticed

> * SECURITY: Eliminate dangerous setgid-root directories.  In the default
>   configuration, cache files and directories are now owned by man:man
>   rather than man:root; man and mandb are now setgid man as well as
>   setuid man (except in the --disable-setuid case).  This is a much
>   simpler and safer solution to the original problem that caused my
>   predecessor to make directories setgid root, and doesn't introduce any
>   interesting new privilege since the man group's only real purpose is
>   to be the man user's primary group and nothing in cache directories is
>   group-writeable.
> 
>   Maintainers of distribution packagers should take care to review their
>   installation rules in light of this change.

Looks like we missed the last paragraph. The cronjob we install still do

> [...]
> 
> # Use same perms/settings as the ebuild.
> if [ ! -d /var/cache/man ]; then
>         mkdir -p /var/cache/man
>         chown man:root /var/cache/man
>         chmod 2755 /var/cache/man
> fi
> 
> [...]

(see https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-apps/man-db/files/man-db.cron)

So looks like we need another rev bump and we need to take care of existing installation (adjust permission in pkg_postinst or better remove any existing cache dir and re-create with the next cron job).
Comment 19 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-02-21 21:47:07 UTC
(In reply to Thomas Deutschmann from comment #18)
> So looks like we need another rev bump and we need to take care of existing
> installation (adjust permission in pkg_postinst or better remove any
> existing cache dir and re-create with the next cron job).
Fixed in sys-apps/man-db-2.7.6.1-r2.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2017-02-22 01:46:56 UTC
Sending it back around for stabilization to fix the missed information:
Arches please test and mark stable for:

=sys-apps/man-db-2.7.6.1-r2
Comment 21 Markus Meier gentoo-dev 2017-03-08 20:52:27 UTC
arm stable
Comment 22 Michael Weber (RETIRED) gentoo-dev 2017-03-08 21:51:40 UTC
ppc ppc64 stable.
Comment 23 Agostino Sarubbo gentoo-dev 2017-03-10 09:10:15 UTC
amd64 stable
Comment 24 Agostino Sarubbo gentoo-dev 2017-03-10 11:00:43 UTC
x86 stable
Comment 25 Agostino Sarubbo gentoo-dev 2017-03-10 12:53:38 UTC
sparc stable
Comment 26 Jeroen Roovers gentoo-dev 2017-03-11 04:42:53 UTC
Stable for HPPA.
Comment 27 Agostino Sarubbo gentoo-dev 2017-03-11 17:14:48 UTC
ia64 stable
Comment 28 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-24 04:51:47 UTC
Ping on alpha stabilization!
Comment 29 Tobias Klausmann gentoo-dev 2017-03-24 15:02:06 UTC
Stable on alpha.
Comment 30 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-29 00:35:58 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).
Comment 31 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-05 06:07:41 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 32 Lars Wendler (Polynomial-C) gentoo-dev 2017-04-05 06:25:14 UTC
commit 38a67164d4b8bc37452130c45ed1a73e8188b632
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Apr 5 08:24:18 2017

    sys-apps/man-db: Security cleanup (bug #602588).

    Package-Manager: Portage-2.3.5, Repoman-2.3.2
Comment 33 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-05 06:29:41 UTC
Including some URLs for documentation of GLSA
http://www.chiark.greenend.org.uk/~cjwatson/blog/
http://git.savannah.gnu.org/cgit/man-db.git/log/
Comment 34 GLSAMaker/CVETool Bot gentoo-dev 2017-07-09 20:25:39 UTC
This issue was resolved and addressed in
 GLSA 201707-12 at https://security.gentoo.org/glsa/201707-12
by GLSA coordinator Thomas Deutschmann (whissi).