[gentoo-announce] [ GLSA 200404-01 ] Insecure sandbox temporary lockfile vulnerabilities in Portage - gentoo-announce

From:	Tim Yamin <plasmaroo@g.o>
To:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com, gentoo-core@l.g.o, gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 200404-01 ] Insecure sandbox temporary lockfile vulnerabilities in Portage
Date:	Tue, 06 Apr 2004 16:12:47
Message-Id:	`4072D6B3.9010706@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200404-01

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

~                                            http://security.gentoo.org

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

~  Severity: Normal

11

~     Title: Insecure sandbox temporary lockfile vulnerabilities in

12

~            Portage

13

~      Date: April 04, 2004

14

~      Bugs: #21923

15

~        ID: 200404-01

16

17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

18

19

Synopsis

20

========

21

22

A flaw has been found in the temporary file handling algorithms for the

23

sandboxing code used within Portage. Lockfiles created during normal

24

Portage operation of portage could be manipulated by local users

25

resulting in the truncation of hard linked files; causing a Denial of

26

Service attack on the system.

27

28

Background

29

==========

30

31

Portage is Gentoo's package management system which is responsible for

32

installing, compiling and updating any ebuilds on the system through the

33

Gentoo rsync tree. Under default configurations, most ebuilds run under

34

a sandbox which prevent the build process writing to the "real" system

35

outside the build directory - packages are installed into a temporary

36

location and then copied over safely by Portage instead. During the

37

process the sandbox wrapper creates lockfiles in the /tmp directory

38

which are vulnerable to a hard-link attack.

39

40

Affected packages

41

=================

42

43

~    -------------------------------------------------------------------

44

~     Package           /    Vulnerable    /                 Unaffected

45

~    -------------------------------------------------------------------

46

~     sys-apps/portage       < 2.0.50-r3                   >= 2.0.50-r3

47

48

Description

49

===========

50

51

A flaw in Portage's sandbox wrapper has been found where the temporary

52

lockfiles are subject to a hard-link attack which allows linkable files

53

to be overwritten to an empty file. This can be used to damage critical

54

files on a system causing a Denial of Service, or alternatively this

55

attack may be used to cause other security risks; for example firewall

56

configuration data could be overwritten without notice.

57

58

The vulnerable sandbox functions have been patched to test for these new

59

conditions: namely; for the existance of a hard-link which would be

60

removed before the sandbox process would continue, for the existance of

61

a world-writable lockfile in which case the sandbox would also remove

62

it, and also for any mismatches in the UID ( anything but root ) and the

63

GID ( anything but the group of the sandbox process ).

64

65

If the vulnerable files cannot be removed by the sandbox, then the

66

sandbox would exit with a fatal error warning the adminstrator of the

67

issue. The patched functions also fix any other sandbox I/O operations

68

which do not explicitly include the mentioned lockfile.

69

70

Impact

71

======

72

73

Any user with write access to the /tmp directory can hard-link a file to

74

/tmp/sandboxpids.tmp - this file would eventually be replaced with an

75

empty one; effectively wiping out the file it was linked to as well with

76

no prior warning. This could be used to potentially disable a vital

77

component of the system and cause a path for other possible exploits.

78

79

This vulnerability only affects systems that have /tmp on the root

80

partition: since symbolic link attacks are filtered, /tmp has to be on

81

the same partition for an attack to take place.

82

83

Workaround

84

==========

85

86

A workaround is not currently known for this issue. All users are

87

advised to upgrade to the latest version of Portage.

88

89

Resolution

90

==========

91

92

Users should upgrade to Portage 2.0.50-r3 or later:

93

94

~    # emerge sync

95

96

~    # emerge -pv ">=sys-apps/portage-2.0.50-r3"

97

~    # emerge ">=sys-apps/portage-2.0.50-r3"

98

99

Concerns?

100

=========

101

102

Security is a primary focus of Gentoo Linux and ensuring the

103

confidentiality and security of our users machines is of utmost

104

importance to us. Any security concerns should be addressed to

105

security@g.o or alternatively, you may file a bug at

106

http://bugs.gentoo.org.

107

-----BEGIN PGP SIGNATURE-----

108

Version: GnuPG v1.2.4 (GNU/Linux)

109

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

110

111

iD8DBQFActamMMXbAy2b2EIRAvS7AJ9ZNP6RDJmchIAB1mKNbBl3vAx79wCfQ9o5

112

+xERggLqteDI3v4IFaMpFFU=

113

=shBP

114

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200404-01
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	~ http://security.gentoo.org
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	~ Severity: Normal
11	~ Title: Insecure sandbox temporary lockfile vulnerabilities in
12	~ Portage
13	~ Date: April 04, 2004
14	~ Bugs: #21923
15	~ ID: 200404-01
16
17	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19	Synopsis
20	========
21
22	A flaw has been found in the temporary file handling algorithms for the
23	sandboxing code used within Portage. Lockfiles created during normal
24	Portage operation of portage could be manipulated by local users
25	resulting in the truncation of hard linked files; causing a Denial of
26	Service attack on the system.
27
28	Background
29	==========
30
31	Portage is Gentoo's package management system which is responsible for
32	installing, compiling and updating any ebuilds on the system through the
33	Gentoo rsync tree. Under default configurations, most ebuilds run under
34	a sandbox which prevent the build process writing to the "real" system
35	outside the build directory - packages are installed into a temporary
36	location and then copied over safely by Portage instead. During the
37	process the sandbox wrapper creates lockfiles in the /tmp directory
38	which are vulnerable to a hard-link attack.
39
40	Affected packages
41	=================
42
43	~ -------------------------------------------------------------------
44	~ Package / Vulnerable / Unaffected
45	~ -------------------------------------------------------------------
46	~ sys-apps/portage < 2.0.50-r3 >= 2.0.50-r3
47
48	Description
49	===========
50
51	A flaw in Portage's sandbox wrapper has been found where the temporary
52	lockfiles are subject to a hard-link attack which allows linkable files
53	to be overwritten to an empty file. This can be used to damage critical
54	files on a system causing a Denial of Service, or alternatively this
55	attack may be used to cause other security risks; for example firewall
56	configuration data could be overwritten without notice.
57
58	The vulnerable sandbox functions have been patched to test for these new
59	conditions: namely; for the existance of a hard-link which would be
60	removed before the sandbox process would continue, for the existance of
61	a world-writable lockfile in which case the sandbox would also remove
62	it, and also for any mismatches in the UID ( anything but root ) and the
63	GID ( anything but the group of the sandbox process ).
64
65	If the vulnerable files cannot be removed by the sandbox, then the
66	sandbox would exit with a fatal error warning the adminstrator of the
67	issue. The patched functions also fix any other sandbox I/O operations
68	which do not explicitly include the mentioned lockfile.
69
70	Impact
71	======
72
73	Any user with write access to the /tmp directory can hard-link a file to
74	/tmp/sandboxpids.tmp - this file would eventually be replaced with an
75	empty one; effectively wiping out the file it was linked to as well with
76	no prior warning. This could be used to potentially disable a vital
77	component of the system and cause a path for other possible exploits.
78
79	This vulnerability only affects systems that have /tmp on the root
80	partition: since symbolic link attacks are filtered, /tmp has to be on
81	the same partition for an attack to take place.
82
83	Workaround
84	==========
85
86	A workaround is not currently known for this issue. All users are
87	advised to upgrade to the latest version of Portage.
88
89	Resolution
90	==========
91
92	Users should upgrade to Portage 2.0.50-r3 or later:
93
94	~ # emerge sync
95
96	~ # emerge -pv ">=sys-apps/portage-2.0.50-r3"
97	~ # emerge ">=sys-apps/portage-2.0.50-r3"
98
99	Concerns?
100	=========
101
102	Security is a primary focus of Gentoo Linux and ensuring the
103	confidentiality and security of our users machines is of utmost
104	importance to us. Any security concerns should be addressed to
105	security@g.o or alternatively, you may file a bug at
106	http://bugs.gentoo.org.
107	-----BEGIN PGP SIGNATURE-----
108	Version: GnuPG v1.2.4 (GNU/Linux)
109	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
110
111	iD8DBQFActamMMXbAy2b2EIRAvS7AJ9ZNP6RDJmchIAB1mKNbBl3vAx79wCfQ9o5
112	+xERggLqteDI3v4IFaMpFFU=
113	=shBP
114	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce