Comment 1 Michael Orlitzky 2017-08-17 13:44:50 UTC

Created attachment 489380 [details]
tenshi-0.16.ebuild

This also fixes bug 611082, but there's one annoying issue with some missing files in the tarball. I'll report it upstream in a second. Proxy maintainers please review.

Comment 2 Michael Orlitzky 2017-08-17 14:01:16 UTC

Created attachment 489382 [details]
tenshi-0.16.ebuild

Ok, the missing files got fixed in about 30 seconds. Here's a new version with no caveats.

Comment 3 Christopher Díaz Riveros (RETIRED) 2017-08-17 14:04:04 UTC

Thanks, please let us know when you are ready for stabilization or call it yourself. 

Gentoo Security Padawan 
ChrisADR

Comment 4 Michael Orlitzky 2017-08-29 10:12:03 UTC

Maintainers? I'm happy to fix this myself.

Comment 5 Christopher Díaz Riveros (RETIRED) 2017-08-29 16:05:08 UTC

(In reply to Michael Orlitzky from comment #4)
> Maintainers? I'm happy to fix this myself.

It's been almost a month since the report and no answer from maintainers,
CCing proxy-maint to let them know the situation.


@Michael if no answer in the next 2 or 3 days, could you please ensure that is ready for stabilization?

Thanks

Gentoo Security Padawan
ChrisADR

Comment 6 Michael Orlitzky 2017-08-29 17:45:09 UTC

I don't use tenshi myself -- I discovered the bug by accident -- so let's try this: I just committed v0.16 to the tree as ~arch. If no one files any bugs in the next few days and the maintainers don't speak up, just proceed with stabilization and I'll clean up afterwards.

I tested out 0.16 and noticed that it was starting tail as root instead of the tenshi user.  It looks like the changes done to move the pidfile creation before dropping privs also made everything else occur before dropping privs.  This has some unfortunate consequences, since the program tenshi calls for tail can be specified in the config and the ebuild installs the config as writable to the tenshi user.

I've made a pull request with a potential fix:
https://github.com/inversepath/tenshi/pull/9

Comment 8 Michael Orlitzky 2017-08-31 00:58:15 UTC

(In reply to Brian De Wolf from comment #7)
> the ebuild installs the config as writable to the tenshi user.

Hey, you found another root exploit =)

The "tenshi" user can not only write whatever he wants for the "tail" command, but he can put "set uid root" into tenshi.conf to gain root the next time the daemon starts (because it will run his "tail" command as root).

I made a tenshi-0.16-r1 that leaves tenshi.conf owned by root:root. Thanks!

Comment 9 Thomas Deutschmann (RETIRED) 2017-10-19 12:01:16 UTC

x86 stable

Comment 10 Michael Orlitzky 2017-10-19 12:32:39 UTC

The fix for this isn't quite complete in ::gentoo, Brian has another commit upstream that is needed. I've pinged the maintainer to see if we can't get a v0.17 tagged; otherwise, I can always do an -r2 with Brian's patch.

Comment 11 Larry the Git Cow 2017-10-19 13:56:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bd4d65f8d6bef1f6562c25c77f0bd1a3ca8bce4

commit 7bd4d65f8d6bef1f6562c25c77f0bd1a3ca8bce4
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2017-10-19 13:55:13 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2017-10-19 13:55:13 +0000

    app-admin/tenshi: new version 0.17.
    
    This version completes the fix for the vulnerable PID file handling
    reported in bug 626654. Thanks to the proxy maintainer Brian De Wolf
    for making sure that this was fixed correctly upstream.
    
    Bug: https://bugs.gentoo.org/626654
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 app-admin/tenshi/Manifest           |  1 +
 app-admin/tenshi/tenshi-0.17.ebuild | 47 +++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)}

Comment 12 Thomas Deutschmann (RETIRED) 2017-10-19 14:29:28 UTC

So let's wait a few days until we restart stabilization.

Comment 13 Thomas Deutschmann (RETIRED) 2017-10-19 14:31:14 UTC

(In reply to Michael Orlitzky from comment #8)
> (In reply to Brian De Wolf from comment #7)
> > the ebuild installs the config as writable to the tenshi user.
> 
> Hey, you found another root exploit =)
> 
> The "tenshi" user can not only write whatever he wants for the "tail"
> command, but he can put "set uid root" into tenshi.conf to gain root the
> next time the daemon starts (because it will run his "tail" command as root).
> 
> I made a tenshi-0.16-r1 that leaves tenshi.conf owned by root:root. Thanks!

Was this a Gentoo-only vulnerability or was it an upstream bug so we should get a CVE?

Comment 14 Michael Orlitzky 2017-10-19 14:56:36 UTC

(In reply to Thomas Deutschmann from comment #13)
> 
> Was this a Gentoo-only vulnerability or was it an upstream bug so we should
> get a CVE?

Check the title bar of your web browser =)

Comment 15 Aaron Bauman (RETIRED) 2018-01-23 01:51:52 UTC

@arches, please stabilize.

Comment 16 Agostino Sarubbo 2018-01-23 16:42:11 UTC

amd64 stable

Comment 17 Thomas Deutschmann (RETIRED) 2018-01-26 18:22:39 UTC

x86 stable

Comment 18 Sergei Trofimovich (RETIRED) 2018-03-03 21:27:16 UTC

ppc stable

Comment 19 Johannes Huber (RETIRED) 2018-04-17 19:17:03 UTC

Cleanup done by treecleaners.

Comment 20 Aaron Bauman (RETIRED) 2018-04-18 00:36:08 UTC

GLSA request filed

Comment 21 GLSAMaker/CVETool Bot 2018-04-22 22:38:28 UTC

This issue was resolved and addressed in
 GLSA 201804-18 at https://security.gentoo.org/glsa/201804-18
by GLSA coordinator Aaron Bauman (b-man).