Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631068 (CVE-2017-18226) - net-im/jabberd2: privilege escalation via PID file manipulation
Summary: net-im/jabberd2: privilege escalation via PID file manipulation
Status: RESOLVED FIXED
Alias: CVE-2017-18226
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-15 12:39 UTC by Michael Orlitzky
Modified: 2018-05-24 20:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-15 12:39:58 UTC
The init script for jabberd2 gives ownership of its PID file directory to the "jabber" user:

  start_pre() {
      checkpath -d -o jabber /var/run/jabber
  }

This can be exploited by the "jabber" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of any PID files he finds.

The problem is ultimately due to the fact that jabberd is allowed to create the PID files, while start-stop-daemon is responsible for dropping privileges (which happens first). Instead, I recommend commenting out all of the <pidfile> directives in the jabberd XML config files, and passing "--make-pidfile" to start-stop-daemom in the init script. That will cause start-stop-daemon to create the PID files as root:root, and they can all be placed directly in /run to avoid the vulnerability.

(This init script is a mess because it's used to start more than one service. I would also strongly recommend that it be split up into three or four init scripts, one for each service -- all of them would then become considerably simpler.)
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-03-03 17:19:15 UTC
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6.

New GLSA request filed.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-12 11:05:15 UTC
CVE-2017-18226 was assigned for this issue.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:07:05 UTC
This issue was resolved and addressed in
 GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07
by GLSA coordinator Christopher Diaz Riveros (chrisadr).