Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631020 (CVE-2017-14483) - <dev-python/flower-0.9.1-r1: privilege escalation via PID file manipulation
Summary: <dev-python/flower-0.9.1-r1: privilege escalation via PID file manipulation
Alias: CVE-2017-14483
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa cve]
Depends on:
Reported: 2017-09-14 22:24 UTC by Michael Orlitzky
Modified: 2017-10-24 21:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-14 22:24:30 UTC
This init script for flower gives ownership of its PID file directory to the daemon's runtime user:

  start_pre() {
      checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}"

That can be exploited by $user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $user).

Fortunately, the PID file is already created as root:root, so the call to checkpath above is superfluous, and the issue can be fixed by setting,


and by deleting the start_pre() function entirely.

Some unrelated suggestions:

  1. Change the deprecated $SVCNAME to $RC_SVCNAME
  2. Use command_user instead of --user and --group in start_stop_daemon_args.
  3. One of "need net" and "after net" is redundant.
  4. The ebuild runs,

       fowners ${PN}:${PN} /var/log/${PN}

     but the init script gives you the ability to switch users. If the
     user and group are ever switched, the ownership information on
     /var/log/flower will be wrong. Unless there's a good reason for it,
     I would settle on user=group=flower and leave it unconfigurable.
Comment 1 Zac Medico gentoo-dev 2017-09-14 23:57:40 UTC
Fixed in 0.9.1-r1:

There are no older versions to remove.
Comment 2 Aleksandr Wagner (Kivak) 2017-09-15 01:50:12 UTC
This bug will be kept open for CVE assignment, the CVE has been requested.

Gentoo Security Padawan