Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629412 (CVE-2017-18225) - net-im/jabberd2: system executables owned by non-root user
Summary: net-im/jabberd2: system executables owned by non-root user
Status: RESOLVED FIXED
Alias: CVE-2017-18225
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-31 01:42 UTC by Michael Orlitzky
Modified: 2018-05-24 20:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-31 01:42:49 UTC
The executables installed to /usr/bin by net-im/jabberd2 are owned by the "jabber" user:

  -rwxr-x---   1 jabber    jabber    9.5K 2017-08-30 21:34 jabberd
  -rwxr-x---   1 jabber    jabber    192K 2017-08-30 21:34 jabberd2-c2s
  -rwxr-x---   1 jabber    jabber    160K 2017-08-30 21:34 jabberd2-router
  -rwxr-x---   1 jabber    jabber    180K 2017-08-30 21:34 jabberd2-s2s
  -rwxr-x---   1 jabber    jabber    180K 2017-08-30 21:34 jabberd2-sm

Those are in root's PATH, and could conceivably be run as root during debugging or experimentation. If that ever happens, it's trivial for the "jabber" user to gain root; instead, those should likely all be root:root, or maybe root:jabber if you want to leave them mode 750.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:27:49 UTC
Is this a Gentoo specific issue? it may be good to report upstream about this.

Gentoo Security Padawan
ChrisADR
Comment 2 Michael Orlitzky gentoo-dev 2017-10-06 01:44:03 UTC
The ebuild does,

  fowners jabber:jabber /usr/bin/{jabberd,router,sm,c2s,s2s}

so I doubt it's an upstream issue.
Comment 3 Pacho Ramos gentoo-dev 2017-11-09 13:27:27 UTC
Either ones takes care of deeply reviewing the ebuild and init files (due to other opened bugs affecting them) or this should be treecleaned (there is also a pending security issue revbump in other bug)
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-03-03 17:21:51 UTC
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6.

Added to an existing GLSA request filed.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-12 11:04:46 UTC
CVE-2017-18225 was assigned for this issue.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:06:56 UTC
This issue was resolved and addressed in
 GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07
by GLSA coordinator Christopher Diaz Riveros (chrisadr).