The ebuilds for bitlbee call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { chown -R bitlbee:bitlbee "${ROOT}"/var/lib/bitlbee ... This can be exploited by the "bitlbee" user to gain root. After the package is installed, the "bitlbee" user can place a hard link in /var/lib/bitlbee pointing to a root-owned file. The next time the package is upgraded or reinstalled, the "chown -R" command will give away root's file to "bitlbee". For example, 1. emerge bitlbee 2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/bitlbee/x' bitlbee 3. emerge bitlbee 4. /etc/password is owned by bitlbee:bitlbee
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed6f485c2830f0ae5ba116cc440dfab05bdaa7db commit ed6f485c2830f0ae5ba116cc440dfab05bdaa7db Author: Petr Vaněk <arkamar@atlas.cz> AuthorDate: 2020-05-01 12:04:33 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-05-05 08:46:35 +0000 net-im/bitlbee: remove unnecessary chown from pkg_postinst phase Closes: https://bugs.gentoo.org/630912 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Closes: https://github.com/gentoo/gentoo/pull/14984 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-im/bitlbee/bitlbee-3.5.1.ebuild | 4 ---- net-im/bitlbee/bitlbee-3.6-r1.ebuild | 4 ---- net-im/bitlbee/bitlbee-9999.ebuild | 4 ---- 3 files changed, 12 deletions(-)