Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767781 (CVE-2019-25016) - <app-admin/doas-6.8.1: fails to always reset PATH (CVE-2019-25016)
Summary: <app-admin/doas-6.8.1: fails to always reset PATH (CVE-2019-25016)
Status: IN_PROGRESS
Alias: CVE-2019-25016
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C1 [glsa? cleanup]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2021-01-28 21:33 UTC by Sam James
Modified: 2021-02-01 08:29 UTC (History)
2 users (show)

See Also:
Package list:
app-admin/doas-6.8.1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-28 21:33:47 UTC
"There is an unsafe incomplete reset of PATH in OpenDoas 6.6 through 6.8 when changing the user context."

See https://github.com/Duncaen/OpenDoas/issues/45 for more discussion:

"Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019.

One nuance about this is that the users PATH will be used when executing the first command if the rule allows any command,
so with the rule permit :wheel, PATH=~/bin doas foo will execute foo from ~/bin.
If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo would not execute ~/bin/foo (in this case the reset the PATH variable was already correct before this fix).

This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH.

Users who were allowed to execute anything could change PATH to execute more things from PATH."
Comment 1 Sam James archtester gentoo-dev Security 2021-01-30 04:00:19 UTC
Please bump to 6.8.1.

(NOTE: Provisionally calling it C1, but not super happy with that classification.)
Comment 2 Larry the Git Cow gentoo-dev 2021-01-30 21:37:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd

commit 1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-30 21:37:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-30 21:37:21 +0000

    app-admin/doas: security bump to 6.8.1
    
    Bug: https://bugs.gentoo.org/767781
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/doas/Manifest          |  1 +
 app-admin/doas/doas-6.8.1.ebuild | 51 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2021-01-30 21:40:52 UTC Comment hidden (obsolete)
Comment 4 Sam James archtester gentoo-dev Security 2021-02-01 08:26:57 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-02-01 08:27:33 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-01 08:29:09 UTC
amd64 done

all arches done
Comment 7 Sam James archtester gentoo-dev Security 2021-02-01 08:29:43 UTC
Please cleanup!