Two privilege escalation issues have been fixed by the newest upstream release of man-db, namely man-db-2.7.6. The problem descriptions are here: http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ Of these, the first one *may* be specific to Debian. The second one is definitely relevant to gentoo as well; moreover, I feel that it is a problem that gentoo (unlike Debian) supports no way of removing setuid/setgid bits on man-db related files completely. These bits seem to exist for only one purpose: on the fly generation of preformatted cat pages, something not needed by the vast majority of modern installations. Reproducible: Always
Debian bug report, for tracking the fix: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840357
This is _not_ CVE-2015-1336 which was handled in bug 568968. @ Maintainer(s): Can we stabilize =sys-apps/man-db-2.7.6.1-r1?
it is not ready to go stable that said, this bug isn't exactly a high priority. it's an escalation from the "man" user which itself is not directly accessible. so while we should fix it, it's not like people can abuse this w/out some other bug.
The severity is based on the B1 rating which is defined at https://www.gentoo.org/support/security/vulnerability-treatment-policy.html It is B rated because the package isn't present on at least 1/20 Gentoo installs, however its default installation is affected. It is 1 rated because in the end it is allowing root compromise once you have local access. The fact that the man user isn't directly accessible doesn't affect security rating. Our rating maybe isn't perfect but until we a have a better policy we have to follow the current policy in place.
(In reply to Thomas Deutschmann from comment #4) how you want to manage the ratings is fine -- that doesn't matter to me. i'm just saying that this isn't a high priority to get fix & stabilized because of its real world impact (or lack there of).
@ Arches, please test and mark stable: =sys-apps/man-db-2.7.6.1-r1
amd64 stable
x86 stable
sparc stable
arm stable
ppc stable
Stable on alpha.
Stable for HPPA.
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit e91b4b2dc9092134cc73fb81b9cacdfa46cce477 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Jan 18 17:02:09 2017 sys-apps/man-db: Security cleanup (bug #602588). Package-Manager: Portage-2.3.3, Repoman-2.3.1
New GLSA request filed.
@ Maintainer(s): While writing the GLSA I re-read upstream changes (from $URL) and noticed > * SECURITY: Eliminate dangerous setgid-root directories. In the default > configuration, cache files and directories are now owned by man:man > rather than man:root; man and mandb are now setgid man as well as > setuid man (except in the --disable-setuid case). This is a much > simpler and safer solution to the original problem that caused my > predecessor to make directories setgid root, and doesn't introduce any > interesting new privilege since the man group's only real purpose is > to be the man user's primary group and nothing in cache directories is > group-writeable. > > Maintainers of distribution packagers should take care to review their > installation rules in light of this change. Looks like we missed the last paragraph. The cronjob we install still do > [...] > > # Use same perms/settings as the ebuild. > if [ ! -d /var/cache/man ]; then > mkdir -p /var/cache/man > chown man:root /var/cache/man > chmod 2755 /var/cache/man > fi > > [...] (see https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-apps/man-db/files/man-db.cron) So looks like we need another rev bump and we need to take care of existing installation (adjust permission in pkg_postinst or better remove any existing cache dir and re-create with the next cron job).
(In reply to Thomas Deutschmann from comment #18) > So looks like we need another rev bump and we need to take care of existing > installation (adjust permission in pkg_postinst or better remove any > existing cache dir and re-create with the next cron job). Fixed in sys-apps/man-db-2.7.6.1-r2.
Sending it back around for stabilization to fix the missed information: Arches please test and mark stable for: =sys-apps/man-db-2.7.6.1-r2
ppc ppc64 stable.
Ping on alpha stabilization!
Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please drop the vulnerable version(s).
commit 38a67164d4b8bc37452130c45ed1a73e8188b632 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Apr 5 08:24:18 2017 sys-apps/man-db: Security cleanup (bug #602588). Package-Manager: Portage-2.3.5, Repoman-2.3.2
Including some URLs for documentation of GLSA http://www.chiark.greenend.org.uk/~cjwatson/blog/ http://git.savannah.gnu.org/cgit/man-db.git/log/
This issue was resolved and addressed in GLSA 201707-12 at https://security.gentoo.org/glsa/201707-12 by GLSA coordinator Thomas Deutschmann (whissi).
