Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631068 (CVE-2017-18226) - net-im/jabberd2: privilege escalation via PID file manipulation
Summary: net-im/jabberd2: privilege escalation via PID file manipulation
Alias: CVE-2017-18226
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on:
Reported: 2017-09-15 12:39 UTC by Michael Orlitzky
Modified: 2018-05-24 20:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-15 12:39:58 UTC
The init script for jabberd2 gives ownership of its PID file directory to the "jabber" user:

  start_pre() {
      checkpath -d -o jabber /var/run/jabber

This can be exploited by the "jabber" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of any PID files he finds.

The problem is ultimately due to the fact that jabberd is allowed to create the PID files, while start-stop-daemon is responsible for dropping privileges (which happens first). Instead, I recommend commenting out all of the <pidfile> directives in the jabberd XML config files, and passing "--make-pidfile" to start-stop-daemom in the init script. That will cause start-stop-daemon to create the PID files as root:root, and they can all be placed directly in /run to avoid the vulnerability.

(This init script is a mess because it's used to start more than one service. I would also strongly recommend that it be split up into three or four init scripts, one for each service -- all of them would then become considerably simpler.)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-03 17:19:15 UTC
Package was removed via

New GLSA request filed.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-12 11:05:15 UTC
CVE-2017-18226 was assigned for this issue.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:07:05 UTC
This issue was resolved and addressed in
 GLSA 201803-07 at
by GLSA coordinator Christopher Diaz Riveros (chrisadr).