Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 602594 - app-accessibility/eflite: root privilege escalation
Summary: app-accessibility/eflite: root privilege escalation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa?]
Keywords:
Depends on: 593274
Blocks:
  Show dependency tree
 
Reported: 2016-12-14 02:41 UTC by Michael Orlitzky
Modified: 2021-11-18 02:58 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-14 02:41:52 UTC
This package uses a socket located at /tmp/es.socket, both by default and as a fallback (if no socket is defined in the config file). Since /tmp is writeable by everyone, any member of the speech group can change /tmp/es.socket to a symlink, pointing to a file of his choice. The next time the eflite service is started, the init script performs,

  chown root:speech /tmp/es.socket
  chmod 660 /tmp/es.socket

That changes the ownership of the *target* of the symlink to root:speech and makes it group-writeable. Thus the speech group attains root.

A similar trick works with hard links.

Before the first time the service is started (i.e. before the socket owned by root:speech exists), any user can create the link -- not just a member of the speech group. To reproduce, install eflite, and make /tmp/es.socket a symlink pointing somewhere important. Start eflite, and watch the target's ownership change.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 23:27:37 UTC
@ Maintainer(s): Please tell us how you want to proceed here. Will you look into this or should security take actions?
Comment 2 Michael Orlitzky gentoo-dev 2017-08-18 16:47:28 UTC
I came up with a fix for this, but the package is currently unusable because of bug #593274.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:19 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:03 UTC
unrestricting per bug 705894
Comment 5 William Hubbs gentoo-dev 2020-05-29 17:46:37 UTC
@mjo:

What was your fix for this?

Thanks,

William
Comment 6 Michael Orlitzky gentoo-dev 2020-05-29 21:04:22 UTC
I still wasn't able to build eflite to test:

  checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed
  checking for connect in -lsocket... no
  checking for library containing pthread_create... -lpthread
  ./configure: 410: test: Illegal number: then
  ./configure: 2968: ./configure: Syntax error: Bad fd number

but I still have my temp directory from when I worked on this bug.

The first thing I would try is to see if eflite can be started as a non-root user/group. If it runs as a dedicated user, then you can create /run/eflite as eflite:eflite (755) in the service script with checkpath and the daemon can create the socket itself (660) with no chown/chmod or init script involvement.

If eflite has to run as root, then you should create /run/eflite as root:root with checkpath, and then be careful when you create and checkpath the socket to the proper group. So long as /run/eflite is root:root, its contents should be relatively safe.

Either way, you should never use a socket under /tmp. Just fix the path to /run/eflite/something. Even making it configurable is more trouble than it's worth. If it works out of the box, nobody will want to mess with it.
Comment 7 Miroslav Šulc gentoo-dev 2021-04-29 06:17:03 UTC
eflite might be better dropped, the last version is from 2006-01-18. i don't see any packages depending on it. any objections?
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-20 22:02:50 UTC
(In reply to Miroslav Šulc from comment #7)
> eflite might be better dropped, the last version is from 2006-01-18. i don't
> see any packages depending on it. any objections?

Yep, I recall this being one of the first packages I recommended treecleaning (on irc). As I recall William meant to look into it but I guess never did or had no luck. CCing treecleaner.
Comment 9 Larry the Git Cow gentoo-dev 2021-07-17 22:22:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a243c770660da9349d29c50a32e51a78850cc61

commit 7a243c770660da9349d29c50a32e51a78850cc61
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-07-17 22:12:23 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-07-17 22:22:03 +0000

    package.mask: mask app-accessibility/eflite for removal
    
    Bug: https://bugs.gentoo.org/602594
    Bug: https://bugs.gentoo.org/639430
    Bug: https://bugs.gentoo.org/677382
    Bug: https://bugs.gentoo.org/695028
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 10 Larry the Git Cow gentoo-dev 2021-08-21 00:41:53 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e12b34dfa139ae23d75fe123d858a632c77f6124

commit e12b34dfa139ae23d75fe123d858a632c77f6124
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-21 00:35:53 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-21 00:41:07 +0000

    profiles/package.mask: remove entry for app-accessibility/eflite
    
    Closes: https://bugs.gentoo.org/602594
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 profiles/package.mask | 6 ------
 1 file changed, 6 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bba7ecf807ebd89635728aa57b6d90ff957d541

commit 3bba7ecf807ebd89635728aa57b6d90ff957d541
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-21 00:34:09 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-21 00:38:53 +0000

    app-accessibility/eflite: remove package
    
    Bug: https://bugs.gentoo.org/602594
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-accessibility/eflite/Manifest                  |  1 -
 app-accessibility/eflite/eflite-0.4.1-r3.ebuild    | 46 ----------------------
 .../eflite/files/eflite-0.4.1-flite14.patch        | 24 -----------
 app-accessibility/eflite/files/eflite.rc           | 28 -------------
 app-accessibility/eflite/files/es.conf             | 11 ------
 app-accessibility/eflite/metadata.xml              | 33 ----------------
 6 files changed, 143 deletions(-)
Comment 11 Michael Orlitzky gentoo-dev 2021-11-18 02:58:20 UTC
Time createth all things and Time destroyeth all creatures.