The wwwoffle ebuild calls "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { ... chown -R wwwoffle:wwwoffle "${ROOT}/var/spool/wwwoffle" ... This can be exploited by the "wwwoffle" user to gain root if he places a hard link to a root-owned file in that directory. The next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's file to the "wwwoffle" user. For example, 1. emerge wwwoffle 2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/wwwoffle/x' wwwoffle 3. emerge wwwoffle 4. /etc/passwd is owned by the "wwwoffle" user I'm marking this private, but the package is maintainer-needed, so security@ will need to find someone appropriate to CC to fix it.
No maintainer, no upstream release in 3+ years, open security bugs... treeclean!
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
CCing treecleaner as previously suggested
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dee948f4fb57a4f6bcc4457bcf9751a7345d4ba commit 3dee948f4fb57a4f6bcc4457bcf9751a7345d4ba Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-04-17 19:10:50 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-04-17 19:19:39 +0000 net-proxy/wwwoffle: drop old version Closes: https://bugs.gentoo.org/630920 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-proxy/wwwoffle/wwwoffle-2.9i-r1.ebuild | 107 ----------------------------- 1 file changed, 107 deletions(-)
