Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 751415 (CVE-2017-18925) - sys-apps/opentmpfiles: Root privilege escalation (mishandling of 'd' entries) (CVE-2017-18925)
Summary: sys-apps/opentmpfiles: Root privilege escalation (mishandling of 'd' entries)...
Status: IN_PROGRESS
Alias: CVE-2017-18925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/OpenRC/opentmpfile...
Whiteboard: B1 [upstream]
Keywords:
: 751427 (view as bug list)
Depends on: 751652
Blocks:
  Show dependency tree
 
Reported: 2020-10-27 01:42 UTC by Sam James
Modified: 2021-07-29 17:42 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-27 01:42:56 UTC 
Description:
"opentmpfiles through 0.3.1 allows local users to take ownership of arbitrary files because d entries are mishandled and allow a symlink attack."

Notes:
* This IS the opentmpfiles equivalent of bug 647796.
* This isn't the same as bug 647752 which is mostly mitigated by the baselayout change (sysctl).
Comment 1 filip ambroz 2020-10-27 09:00:43 UTC 
*** Bug 751427 has been marked as a duplicate of this bug. ***
Comment 2 Michael Orlitzky gentoo-dev 2020-10-27 19:08:36 UTC 
More information: http://michael.orlitzky.com/cves/cve-2017-18925.xhtml
Comment 3 Larry the Git Cow gentoo-dev 2020-10-29 06:42:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9be32a62cbaaf4c629dee12d6264b80799e7cb25

commit 9be32a62cbaaf4c629dee12d6264b80799e7cb25
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-29 06:41:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-29 06:41:47 +0000

    virtual/tmpfiles: add systemd-tmpfiles standalone provider
    
    Bug: https://bugs.gentoo.org/751415
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 virtual/tmpfiles/tmpfiles-0.ebuild | 1 +
 1 file changed, 1 insertion(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0127bd04e1966c212b541d0a6e2fdcb9f5a7251e

commit 0127bd04e1966c212b541d0a6e2fdcb9f5a7251e
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-29 06:39:57 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-29 06:41:46 +0000

    sys-apps/systemd-tmpfiles: add ~amd64 ~arm64 ~ppc64 keywords
    
    Bug: https://bugs.gentoo.org/751415
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 William Hubbs gentoo-dev 2020-10-30 15:33:51 UTC 
I think that since systemd-tmpfiles uses a lot of systemd code, there is
a chance it won't work for musl.
Comment 5 davidf4 2021-07-08 21:18:34 UTC 
Due to the ongoing objections by some to anything related to systemd, may I suggest that the "masked" message be appended to note that even the authors of OpenTmpFiles recommend shifting to this package due to the lack of progress resolving the bug in their package?

I was able to research and find the note in their "issues" section so I'll go ahead and unmask this particular systemd package.

Thanks,
Comment 6 davidf4 2021-07-08 21:20:08 UTC 
> I was able to research and find the note in their "issues" section so I'll
> go ahead and unmask this particular systemd package.

Make that "unmask on my personal system".  I'm not going to commit anything to the overall Gentoo ecosystem...
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:25:34 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:42:00 UTC 
Package list is empty or all packages have requested keywords.