The openfire ebulds call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { ... chown -R jabber:jabber "${ROOT}"/opt/openfire } This can be exploited by the "jabber" user to gain root, if he places a hard link to a root-owned file in /opt/openfire. The next time the package is upgraded or reinstalled, the "chown -R" will give root's file to the "jabber" user. For example, 1. emerge openfire 2. su -s /bin/sh -c 'ln /etc/passwd /opt/openfire/x' jabber 3. emerge openfire 4. /etc/passwd is owned by jabber:jabber
The ".*confidential.*" red text does not actually say on the next step for this issue. Should I attach ebuild fix once I get it ready here or someone else already actively handling it?
(In reply to Sergei Trofimovich from comment #1) > The ".*confidential.*" red text does not actually say on the next step for > this issue. > > Should I attach ebuild fix once I get it ready here or someone else > already actively handling it? Just fix it and post here when you're done =) There's nothing special about the private bug, I was just asked to mark these sorts of issues private until they're fixed.
This issue should be fixed in the -r2. I just reordered things so that it's not necessary to call chown/chmod at any point. @security, we should open up this bug and ask the arch teams to test it.
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
pkg is no longer in tree.