Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621266 (CVE-2017-8108) - <app-forensics/lynis-2.5.2: Possible symlink attack on temporary file (CVE-2017-8108)
Summary: <app-forensics/lynis-2.5.2: Possible symlink attack on temporary file (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2017-8108
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://cisofy.com/security/cve/cve-2...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-09 04:53 UTC by ncl
Modified: 2017-11-11 20:36 UTC (History)
2 users (show)

See Also:
Package list:
=app-forensics/lynis-2.5.2
Runtime testing required: ---
ncl: Assigned_To+
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ncl 2017-06-09 04:53:19 UTC
Michael Scherer discovered that some Lynis tests reuse the same temporary file. As some tests remove the temporary file, this might give an attacker the possibility to perform a link following attack. While timing must be perfect, there is a very small time window in which the attack can recreate the temporary file and symlink it to another resource, like a file. In this case data may be overwritten, or possibly executed.

Linux users may use sysctl and set both fs.protected_hardlinks=1 and fs.protected_symlinks=1, which may reduce the impact for this type of attack.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-06-09 08:48:42 UTC
CVE-2017-8108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8108):
  Unspecified tests in Lynis before 2.5.0 allow local users to write to
  arbitrary files or possibly gain privileges via a symlink attack on a
  temporary file.
Comment 2 Thomas Deutschmann gentoo-dev 2017-06-09 08:51:33 UTC
Doesn't affect Gentoo kernels with security coverage due to protected_{symlinks,hardlinks} hardening.


@ Maintainer(s): Please bump to >=app-forensics/lynis-2.5.0
Comment 3 charles17 2017-08-03 11:25:00 UTC
Shoud be superseded by version 2.5.2, see https://github.com/gentoo/gentoo/pull/5281
Comment 4 Patrice Clement gentoo-dev 2017-08-04 06:23:33 UTC
commit cada6eaa63e82a908cb06a863b5e4252973f1ff8 (HEAD)
Author:     charIes17 <charles17@arcor.de>
AuthorDate: Thu Aug 3 09:14:43 2017 +0200
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Fri Aug 4 08:22:13 2017 +0200

app-forensics/lynis: version bump to 2.5.2.

Gentoo-Bug: https://bugs.gentoo.org/621266
Gentoo-Bug: https://bugs.gentoo.org/591262

Package-Manager: Portage-2.3.6, Repoman-2.3.1
Closes: https://github.com/gentoo/gentoo/pull/5281

app-forensics/lynis/Manifest           |  1 +
app-forensics/lynis/lynis-2.5.2.ebuild | 55 ++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 app-forensics/lynis/lynis-2.5.2.ebuild
Comment 5 Patrice Clement gentoo-dev 2017-08-04 06:24:08 UTC
commit 6f1f6bea7cf05c5ede27af1a26f3c2f32e8c461e (HEAD -> master, origin/master, origin/HEAD)
Author:     charIes17 <charles17@arcor.de>
AuthorDate: Thu Aug 3 09:18:00 2017 +0200
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Fri Aug 4 08:22:21 2017 +0200

app-forensics/lynis: remove vulnerable versions.

Gentoo-Bug: https://bugs.gentoo.org/621266

Package-Manager: Portage-2.3.6, Repoman-2.3.1
Closes: https://github.com/gentoo/gentoo/pull/5281

app-forensics/lynis/Manifest           |  3 --
app-forensics/lynis/lynis-1.6.4.ebuild | 54 ----------------------------------
app-forensics/lynis/lynis-2.1.0.ebuild | 54 ----------------------------------
app-forensics/lynis/lynis-2.1.1.ebuild | 54 ----------------------------------
4 files changed, 165 deletions(-)
delete mode 100644 app-forensics/lynis/lynis-1.6.4.ebuild
delete mode 100644 app-forensics/lynis/lynis-2.1.0.ebuild
delete mode 100644 app-forensics/lynis/lynis-2.1.1.ebuild
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-06 18:10:07 UTC
@Maintainers: please call for stabilization when you are ready.

Coordinated with b-man.

Since we have removed a stable ebuild from tree, we need to ensure that the new keeps visibility or prepare a GLSA about the stable removal.

Thanks,

Security Team Padawan
ChrisADR
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2017-08-26 22:09:26 UTC
the package has never been stabilised, so closed with noglsa as vuln versions have been removed.
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2017-08-26 22:29:39 UTC
re-open to figure out about dropped stable version.

@monsieurp, ?
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 20:36:11 UTC
guess he doesn't care.