The getdelta ebuilds calls chown recursively on the live root filesystem in pkg_postinst: pkg_postinst() { ... chown -R portage:portage "${ROOT}"/{var/log/getdelta.log,etc/deltup} The "portage" user can place a hard link in /etc/deltup pointing to a sensitive root-owned file, and the next time that getdelta is emerged, that file will be given to the "portage" user. For example, 1. emerge getdelta 2. create a hard link from /etc/passwd to /etc/deltup/x 3. emerge getdelta 4. the file /etc/passwd is owned by portage:portage
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
CCing proxied maintainer.
Never touched by a maintainer since the git transition and no real changes in the same time. EAPI 5. CCing treecleaner.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b965153d7733fe0a58bdd54a378cd337e76a420c commit b965153d7733fe0a58bdd54a378cd337e76a420c Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-08-24 12:38:35 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2021-08-24 12:38:35 +0000 app-portage/getdelta: Remove last-rited package Closes: https://bugs.gentoo.org/371635 Bug: https://bugs.gentoo.org/630814 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: David Seifert <soap@gentoo.org> app-portage/getdelta/Manifest | 1 - app-portage/getdelta/files/getdelta-0.7.9.patch | 252 ------------------------ app-portage/getdelta/getdelta-0.7.9-r2.ebuild | 46 ----- app-portage/getdelta/metadata.xml | 8 - profiles/package.mask | 5 - 5 files changed, 312 deletions(-)
All done!