Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878277 (CVE-2022-3650) - <sys-cluster/ceph-{16.2.13,17.2.6}: root privilege escalation via ceph-crash.service
Summary: <sys-cluster/ceph-{16.2.13,17.2.6}: root privilege escalation via ceph-crash....
Alias: CVE-2022-3650
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+]
Depends on:
Reported: 2022-10-25 16:41 UTC by John Helmert III
Modified: 2023-12-23 08:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 16:41:04 UTC
"The ceph-crash.service [2] runs the ceph-crash Python script [3] as
root. The script is operating in the directory /var/lib/ceph/crash which
is controlled by the unprivileged ceph user (ceph:ceph mode 0750). The
script periodically scans for new crash directories and forwards the
content via `ceph crash post`. This constellation is subject to security
issues that can allow the ceph user to either:

1) post arbitrary data as a "crash dump", even content from private
   files owned by root. The consequences of this are not fully clear to me,
   it could be an information leak if the security domain of "root" on the
   system is different to the security domain of wherever the ceph-crash
   data will be sent to / accessible afterwards. The `ceph crash post`
   command expects JSON input, however, thus the degree of freedom for
   this is reduced.

2) cause a denial-of-service by feeding large amounts of data into the
   `ceph crash post` process. This can cause high amounts of memory and CPU
   consumption. By placing a symlink or FIFO into the directory instead of
   an actual file, the script can be made to read from a device file
   like /dev/random or to block forever.

3) cause a local ceph to root user privilege escalation by tricking
   ceph-crash to move a ceph controlled file into a privileged file system
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-21 05:48:18 UTC
This fixed in 16.2.13 and 17.2.6 according to the upstream release notes.
Comment 2 Larry the Git Cow gentoo-dev 2023-12-23 08:04:56 UTC
The bug has been referenced in the following commit(s):

commit 3634d35ada842fa025f9256ff4403747e362b14f
Author:     GLSAMaker <>
AuthorDate: 2023-12-23 08:04:29 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-12-23 08:04:50 +0000

    [ GLSA 202312-10 ] Ceph: Root Privilege Escalation
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202312-10.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)