Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767781 (CVE-2019-25016) - <app-admin/doas-6.8.1: fails to always reset PATH (CVE-2019-25016)
Summary: <app-admin/doas-6.8.1: fails to always reset PATH (CVE-2019-25016)
Status: RESOLVED FIXED
Alias: CVE-2019-25016
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-28 21:33 UTC by Sam James
Modified: 2021-07-07 08:05 UTC (History)
2 users (show)

See Also:
Package list:
app-admin/doas-6.8.1-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-28 21:33:47 UTC
"There is an unsafe incomplete reset of PATH in OpenDoas 6.6 through 6.8 when changing the user context."

See https://github.com/Duncaen/OpenDoas/issues/45 for more discussion:

"Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019.

One nuance about this is that the users PATH will be used when executing the first command if the rule allows any command,
so with the rule permit :wheel, PATH=~/bin doas foo will execute foo from ~/bin.
If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo would not execute ~/bin/foo (in this case the reset the PATH variable was already correct before this fix).

This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH.

Users who were allowed to execute anything could change PATH to execute more things from PATH."
Comment 1 Sam James archtester gentoo-dev Security 2021-01-30 04:00:19 UTC
Please bump to 6.8.1.

(NOTE: Provisionally calling it C1, but not super happy with that classification.)
Comment 2 Larry the Git Cow gentoo-dev 2021-01-30 21:37:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd

commit 1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-30 21:37:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-30 21:37:21 +0000

    app-admin/doas: security bump to 6.8.1
    
    Bug: https://bugs.gentoo.org/767781
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/doas/Manifest          |  1 +
 app-admin/doas/doas-6.8.1.ebuild | 51 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2021-01-30 21:40:52 UTC Comment hidden (obsolete)
Comment 4 Sam James archtester gentoo-dev Security 2021-02-01 08:26:57 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-02-01 08:27:33 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-01 08:29:09 UTC
amd64 done

all arches done
Comment 7 Sam James archtester gentoo-dev Security 2021-02-01 08:29:43 UTC
Please cleanup!
Comment 8 John Helmert III gentoo-dev Security 2021-05-30 15:56:14 UTC
Cleanup done:

commit 30e45562f3aa3d48e64d08fe5db01b39c84e42ca
Author: Joonas Niilola <juippis@gentoo.org>
Date:   Sat Mar 20 09:10:15 2021 +0200

    app-admin/doas: drop 6.0, 6.6.1, 6.8

    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 delete mode 100644 app-admin/doas/doas-6.0.ebuild
 delete mode 100644 app-admin/doas/doas-6.6.1.ebuild
 delete mode 100644 app-admin/doas/doas-6.8.ebuild
Comment 9 John Helmert III gentoo-dev Security 2021-05-30 16:49:52 UTC
New GLSA request filed.
Comment 10 NATTkA bot gentoo-dev 2021-06-30 18:44:36 UTC
Unable to check for sanity:

> no match for package: app-admin/doas-6.8.1
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-07-07 08:05:28 UTC
This issue was resolved and addressed in
 GLSA 202107-11 at https://security.gentoo.org/glsa/202107-11
by GLSA coordinator Sam James (sam_c).