897706 – (CVE-2022-3560) app-crypt/pesign: root privilege escalation via symlink following

Bug 897706 (CVE-2022-3560) - app-crypt/pesign: root privilege escalation via symlink following

Summary: app-crypt/pesign: root privilege escalation via symlink following

Status:	CONFIRMED

Alias:	CVE-2022-3560

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~1 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2023-02-25 16:43 UTC by John Helmert III
Modified:	2023-02-25 16:43 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-02-25 16:43:46 UTC

CVE-2022-3560:

A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

RedHat managed to make the CVE itself completely opaque, but there's
more information on oss-security:

https://www.openwall.com/lists/oss-security/2023/01/31/6
https://www.openwall.com/lists/oss-security/2023/02/01/2

But even these don't say that the fixed version is 116. It's not in
the release notes either:

https://github.com/rhboot/pesign/releases/tag/116

But it is noted in the relase commit:

https://github.com/rhboot/pesign/commit/c8d7c76f1848d324ee3b72ca602d01b988e6238e

The fix itself is https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998