1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200404-01 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
~ http://security.gentoo.org |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
~ Severity: Normal |
11 |
~ Title: Insecure sandbox temporary lockfile vulnerabilities in |
12 |
~ Portage |
13 |
~ Date: April 04, 2004 |
14 |
~ Bugs: #21923 |
15 |
~ ID: 200404-01 |
16 |
|
17 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
18 |
|
19 |
Synopsis |
20 |
======== |
21 |
|
22 |
A flaw has been found in the temporary file handling algorithms for the |
23 |
sandboxing code used within Portage. Lockfiles created during normal |
24 |
Portage operation of portage could be manipulated by local users |
25 |
resulting in the truncation of hard linked files; causing a Denial of |
26 |
Service attack on the system. |
27 |
|
28 |
Background |
29 |
========== |
30 |
|
31 |
Portage is Gentoo's package management system which is responsible for |
32 |
installing, compiling and updating any ebuilds on the system through the |
33 |
Gentoo rsync tree. Under default configurations, most ebuilds run under |
34 |
a sandbox which prevent the build process writing to the "real" system |
35 |
outside the build directory - packages are installed into a temporary |
36 |
location and then copied over safely by Portage instead. During the |
37 |
process the sandbox wrapper creates lockfiles in the /tmp directory |
38 |
which are vulnerable to a hard-link attack. |
39 |
|
40 |
Affected packages |
41 |
================= |
42 |
|
43 |
~ ------------------------------------------------------------------- |
44 |
~ Package / Vulnerable / Unaffected |
45 |
~ ------------------------------------------------------------------- |
46 |
~ sys-apps/portage < 2.0.50-r3 >= 2.0.50-r3 |
47 |
|
48 |
Description |
49 |
=========== |
50 |
|
51 |
A flaw in Portage's sandbox wrapper has been found where the temporary |
52 |
lockfiles are subject to a hard-link attack which allows linkable files |
53 |
to be overwritten to an empty file. This can be used to damage critical |
54 |
files on a system causing a Denial of Service, or alternatively this |
55 |
attack may be used to cause other security risks; for example firewall |
56 |
configuration data could be overwritten without notice. |
57 |
|
58 |
The vulnerable sandbox functions have been patched to test for these new |
59 |
conditions: namely; for the existance of a hard-link which would be |
60 |
removed before the sandbox process would continue, for the existance of |
61 |
a world-writable lockfile in which case the sandbox would also remove |
62 |
it, and also for any mismatches in the UID ( anything but root ) and the |
63 |
GID ( anything but the group of the sandbox process ). |
64 |
|
65 |
If the vulnerable files cannot be removed by the sandbox, then the |
66 |
sandbox would exit with a fatal error warning the adminstrator of the |
67 |
issue. The patched functions also fix any other sandbox I/O operations |
68 |
which do not explicitly include the mentioned lockfile. |
69 |
|
70 |
Impact |
71 |
====== |
72 |
|
73 |
Any user with write access to the /tmp directory can hard-link a file to |
74 |
/tmp/sandboxpids.tmp - this file would eventually be replaced with an |
75 |
empty one; effectively wiping out the file it was linked to as well with |
76 |
no prior warning. This could be used to potentially disable a vital |
77 |
component of the system and cause a path for other possible exploits. |
78 |
|
79 |
This vulnerability only affects systems that have /tmp on the root |
80 |
partition: since symbolic link attacks are filtered, /tmp has to be on |
81 |
the same partition for an attack to take place. |
82 |
|
83 |
Workaround |
84 |
========== |
85 |
|
86 |
A workaround is not currently known for this issue. All users are |
87 |
advised to upgrade to the latest version of Portage. |
88 |
|
89 |
Resolution |
90 |
========== |
91 |
|
92 |
Users should upgrade to Portage 2.0.50-r3 or later: |
93 |
|
94 |
~ # emerge sync |
95 |
|
96 |
~ # emerge -pv ">=sys-apps/portage-2.0.50-r3" |
97 |
~ # emerge ">=sys-apps/portage-2.0.50-r3" |
98 |
|
99 |
Concerns? |
100 |
========= |
101 |
|
102 |
Security is a primary focus of Gentoo Linux and ensuring the |
103 |
confidentiality and security of our users machines is of utmost |
104 |
importance to us. Any security concerns should be addressed to |
105 |
security@g.o or alternatively, you may file a bug at |
106 |
http://bugs.gentoo.org. |
107 |
-----BEGIN PGP SIGNATURE----- |
108 |
Version: GnuPG v1.2.4 (GNU/Linux) |
109 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
110 |
|
111 |
iD8DBQFActamMMXbAy2b2EIRAvS7AJ9ZNP6RDJmchIAB1mKNbBl3vAx79wCfQ9o5 |
112 |
+xERggLqteDI3v4IFaMpFFU= |
113 |
=shBP |
114 |
-----END PGP SIGNATURE----- |