630920 – net-proxy/wwwoffle: root privilege escalation via "chown -R" in pkg_postinst

Bug 630920 - net-proxy/wwwoffle: root privilege escalation via "chown -R" in pkg_postinst

Summary: net-proxy/wwwoffle: root privilege escalation via "chown -R" in pkg_postinst

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-13 18:30 UTC by Michael Orlitzky
Modified:	2020-04-03 23:18 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-13 18:30:24 UTC

The wwwoffle ebuild calls "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      ...
      chown -R wwwoffle:wwwoffle "${ROOT}/var/spool/wwwoffle" ...

This can be exploited by the "wwwoffle" user to gain root if he places a hard link to a root-owned file in that directory. The next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's file to the "wwwoffle" user. For example,

  1. emerge wwwoffle
  2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/wwwoffle/x' wwwoffle
  3. emerge wwwoffle
  4. /etc/passwd is owned by the "wwwoffle" user

I'm marking this private, but the package is maintainer-needed, so security@ will need to find someone appropriate to CC to fix it.

Comment 1 Michael Orlitzky gentoo-dev

2019-09-14 16:43:32 UTC

No maintainer, no upstream release in 3+ years, open security bugs... treeclean!

Comment 2 Robin Johnson archtester

2020-04-03 23:16:19 UTC

Unrestricting and reassigning to security@ per bug #705894

Comment 3 Robin Johnson archtester

2020-04-03 23:18:16 UTC

unrestricting per bug 705894