Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630752 (CVE-2017-20148) - app-admin/logcheck: root privilege escalation via "chown -R" in pkg_postinst
Summary: app-admin/logcheck: root privilege escalation via "chown -R" in pkg_postinst
Status: RESOLVED FIXED
Alias: CVE-2017-20148
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-11 22:45 UTC by Michael Orlitzky
Modified: 2022-09-25 13:57 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Fix privilege escalation (logcheck.patch,1.33 KB, patch)
2022-08-26 06:03 UTC, Manuel Mommertz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-11 22:45:48 UTC
The logcheck ebuilds all call "chown -R" on the root filesystem during pkg_postinst:

  pkg_postinst() {
      chown -R logcheck:logcheck /etc/logcheck /var/lib/logcheck || die

This is exploitable in the same way that the init scripts were: the first install is safe, but then the logcheck user can place a hard link in either of those directories pointing to e.g. /root/.bashrc. The next time logcheck is installed, the ebuild will call chown on the hardlink, and give ownership of /root/.bashrc to the "logcheck" user.

I'm marking this private, but the package is maintainer-needed, so it's up to @security who to CC. If someone wants to take a shot at it, my first attempt would be to use "fowners root:logcheck ..." and to do it on $D in src_install. Another call to fperms could then make those directories group-rwx. Neither call should operate recursively.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-12 08:58:55 UTC
@mrueg: Hi Manuel, I see you're the last dev to touch this package with a version bump earlier this year. Maybe you want to take a crack at fixing this issue and taking over maintainership of the package?
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-09-12 12:41:59 UTC
I'm not interested in maintaining it.


the cronjob is probably similarly vulnerable in /etc/cron.hourly/logcheck.cron
> chown -R logcheck:logcheck /var/lock/logcheck
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:18 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:29 UTC
unrestricting per bug 705894
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-11 03:55:26 UTC
(In reply to Larry the Git Cow from comment #18)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=2aa8d23c8600f65ddf12a27696c2b4b99babbd79
> 
> commit 2aa8d23c8600f65ddf12a27696c2b4b99babbd79
> Author:     John Helmert III <ajak@gentoo.org>
> AuthorDate: 2022-08-11 03:50:22 +0000
> Commit:     John Helmert III <ajak@gentoo.org>
> CommitDate: 2022-08-11 03:50:22 +0000
> 
>     profiles: last rite app-admin/logcheck
>     
>     Bug: https://bugs.gentoo.org/730752
>     Signed-off-by: John Helmert III <ajak@gentoo.org>
> 
>  profiles/package.mask | 5 +++++
>  1 file changed, 5 insertions(+)
Comment 6 Manuel Mommertz 2022-08-26 06:03:12 UTC
Created attachment 801076 [details, diff]
Fix privilege escalation

If it is just the privilege escalation, this is easily fixable (see patch).

Regarding a maintainer I cannot help, sorry. :)
Comment 7 Philippe Chaintreuil 2022-08-26 11:18:18 UTC
I'd be willing to proxy maintainer logcheck to keep it in the tree.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 11:27:36 UTC
(In reply to Philippe Chaintreuil from comment #7)
> I'd be willing to proxy maintainer logcheck to keep it in the tree.

That'd be great, thank you.
Comment 9 Jared B. 2022-08-29 19:20:30 UTC
Also, there was a comment about logcheck being "unmaintained since the git transition" in the last rights, but I can't figure out what that's referring to.  It seems like this is the current git repo:

https://salsa.debian.org/debian/logcheck

And that had a commit 2 weeks ago, plus several commits and a new release (1.3.24) in July.  So this doesn't seem to be unmaintained, though admittedly this is an outsider's view and there may be stuff behind the scenes that I don't see.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-29 19:27:45 UTC
(In reply to Jared B. from comment #9)
> Also, there was a comment about logcheck being "unmaintained since the git
> transition" in the last rights, but I can't figure out what that's referring
> to.  It seems like this is the current git repo:
> 
> https://salsa.debian.org/debian/logcheck
> 
> And that had a commit 2 weeks ago, plus several commits and a new release
> (1.3.24) in July.  So this doesn't seem to be unmaintained, though
> admittedly this is an outsider's view and there may be stuff behind the
> scenes that I don't see.

The last maintainer in Gentoo dropped the package in 2017:

commit 4228e93b4a73fd3f462d34eb0ce9949b066a7873
Author: Pawel Hajdan, Jr <phajdan.jr@gentoo.org>
Date:   Tue May 2 12:27:19 2017 +0200

    app-admin/logcheck: remove phajdan.jr from maintainers -> maintainer-needed

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

diff --git a/app-admin/logcheck/metadata.xml b/app-admin/logcheck/metadata.xml
index cc8cd37515a7..7a38bb900964 100644
--- a/app-admin/logcheck/metadata.xml
+++ b/app-admin/logcheck/metadata.xml
@@ -1,8 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-       <maintainer type="person">
-               <email>phajdan.jr@gentoo.org</email>
-               <name>Pawel Hajdan jr</name>
-       </maintainer>
+       <!-- maintainer-needed -->
 </pkgmetadata>


Before that, phajdan hadn't even touched the package since the ::gentoo git transition in 2015: https://github.com/gentoo/gentoo/commits/master/app-admin/logcheck
Comment 11 Jared B. 2022-08-31 13:08:50 UTC
(In reply to John Helmert III from comment #10)
> The last maintainer in Gentoo dropped the package in 2017:

Gotcha.  I had read that as unmaintained upstream.  Thanks for clarifying.
Comment 12 Philippe Chaintreuil 2022-09-16 00:13:35 UTC
(In reply to Sam James from comment #8)
> (In reply to Philippe Chaintreuil from comment #7)
> > I'd be willing to proxy maintainer logcheck to keep it in the tree.
> 
> That'd be great, thank you.

Actually, I'm going to have to retract this.  Turns out I'm still using logsentry, not logcheck.  (I was confused since logsentry's script is called logcheck.)  Sorry for the fake-out.  :-(
Comment 13 Larry the Git Cow gentoo-dev 2022-09-18 21:23:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1517666b3bb5e08ad6a85aceada2e9ddfc25f10

commit c1517666b3bb5e08ad6a85aceada2e9ddfc25f10
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-09-18 21:20:38 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-18 21:20:38 +0000

    app-admin/logcheck: treeclean
    
    Bug: https://bugs.gentoo.org/630752
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-admin/logcheck/Manifest               |  1 -
 app-admin/logcheck/files/logcheck.cron    | 10 -----
 app-admin/logcheck/logcheck-1.3.23.ebuild | 65 -------------------------------
 app-admin/logcheck/metadata.xml           |  5 ---
 profiles/package.mask                     |  5 ---
 5 files changed, 86 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31c1a39700a70382a13f65f6bef70698c174d8b4

commit 31c1a39700a70382a13f65f6bef70698c174d8b4
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-09-18 21:19:57 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-18 21:19:57 +0000

    net-analyzer/sguil-sensor: treeclean
    
    Bug: https://bugs.gentoo.org/630752
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-analyzer/sguil-sensor/Manifest                 |  1 -
 net-analyzer/sguil-sensor/files/log_packets.confd  | 18 -----
 net-analyzer/sguil-sensor/files/log_packets.initd  | 91 ----------------------
 net-analyzer/sguil-sensor/files/sensor_agent.initd | 29 -------
 net-analyzer/sguil-sensor/metadata.xml             | 12 ---
 .../sguil-sensor/sguil-sensor-1.0.0-r3.ebuild      | 81 -------------------
 profiles/package.mask                              |  5 --
 7 files changed, 237 deletions(-)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 18:47:38 UTC
GLSA request filed, CVE pending
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-25 13:43:53 UTC
GLSA released, all done!
Comment 16 Larry the Git Cow gentoo-dev 2022-09-25 13:57:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c119633f474d495980aaa3db92f8d90254200747

commit c119633f474d495980aaa3db92f8d90254200747
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-25 13:34:57 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-25 13:42:21 +0000

    [ GLSA 202209-10 ] Logcheck: Root privilege escalation
    
    Bug: https://bugs.gentoo.org/630752
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-10.xml | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)