Bug#924397: marked as done (corekeeper: insecure use of world-writable /var/crash)

Sat, 11 May 2019 20:36:36 -0700 

Your message dated Sun, 12 May 2019 03:33:29 +0000
with message-id <e1hpfev-000abw...@fasolo.debian.org>
and subject line Bug#924397: fixed in corekeeper 1.7
has caused the Debian Bug report #924397,
regarding corekeeper: insecure use of world-writable /var/crash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924397: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924397
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: corekeeper
Version: 1.6
Severity: critical
Tags: security

(I reported this privately in 2016...)

/usr/lib/corekeeper/dump does this:

  mkdir -p "/var/crash/$owner"
This is pretty bad. /var/crash is word-writable, so anybody could have created a subdirectory there. "mkdir -p" will succeed if /var/crash/$owner/ exists, even when it's owned by another user.
An attacker could exploit this to read other users' core files. Additionally, on systems that have protected_symlinks or protected_symlinks disabled, this could be exploited to take ownership of arbitrary files, or to overwrite arbitrary files.
I don't understand why /var/crash is world-writable; but if it has to be for some reason, then the crash handler must verify that /var/crash/$owner is in fact a directory owned by the right user. Verifying that the directory has the right permissions (700) is probably also a good idea. 

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: corekeeper
Source-Version: 1.7

We believe that the bug you reported is fixed in the latest version of
corekeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Wise <p...@debian.org> (supplier of updated corekeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 May 2019 14:53:44 +0800
Source: corekeeper
Architecture: source
Version: 1.7
Distribution: unstable
Urgency: medium
Maintainer: Paul Wise <p...@debian.org>
Changed-By: Paul Wise <p...@debian.org>
Closes: 924397 924398
Changes:
 corekeeper (1.7) unstable; urgency=medium
 .
   * Do not use a world-writable /var/crash with the dumper script
     and fix the permissions on upgrade as dpkg doesn't do that.
     (Closes: #924397) (See-also: #515211)
   * Handle older versions of the Linux kernel in a safer way
     (Closes: #924398)
   * Harden ownership determination and core file names
   * Do not truncate core names for executables with spaces
   * Update VCS URLs from alioth to salsa
Checksums-Sha1:
 92af0ea48086f93371afdeec82e3168ea7868188 1535 corekeeper_1.7.dsc
 178dc81ae008210bb9623fb0838ff87844630da7 6124 corekeeper_1.7.tar.xz
Checksums-Sha256:
 c6369fba3a211a145c8afecb6c6e761670d44bbf751849622fc584ec0e446f31 1535 
corekeeper_1.7.dsc
 353dbcc4ae320ed1cc415f8cc0971e9d559e9be3e4afdf56c860216b99d75a48 6124 
corekeeper_1.7.tar.xz
Files:
 3fa5bad85732792ceefdc5a9e6389c9f 1535 admin extra corekeeper_1.7.dsc
 65f9483e5ea428c7d29945fe42338979 6124 admin extra corekeeper_1.7.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAlzXkx0ACgkQMRa6Xp/6
aaMprw/+IoiXiA5covM6vgK2NAe6iiAn6T8jItXt8pqdT9zltFXW2ukPVgMUoWSN
IfQ72M8CuP4WH3zvse33LVBk+kb1f07h0amQQAAnOhFA4qWsLpQTxwoBQEyT6Ukw
iWiXnWJEOEvwkGCOtJ6d6z0XL+GNJmkAKaqkXd4lyxLBzORkZlNt54QQDlDQy/kY
nw/sgKE/qQxXrdetMOL40fW/fZrSiMdeSjNxbiC5rsZsAfGEG4hPB1h9g2+kLoRE
q6vpgmrO9VtSYCall7FsGSixwtOA3Y321RujEEG+NhfPgWs4H6XLz0DqeFfdtdNh
pNS58+kvQHQZTfkOGYgOGaIG8RILniF7/O/5rZtizJKBx0zkQ4R99NLhjkhosLzV
gaqnv8s375g5qe+7O0jdRiJXPg5s5CYa0NLlSe310xLSdfgSCejfl9ba5Uwr2ATU
Tj1uBMce5Df8vVdcitp+ETeWtJRFbYqBvwwAOkDLtj2eBeH60cKT0KqKRVQkw4Ta
zKuMACePp7Zbg6PGscA1oQlkaNJupEQ7SXYB1tGhFl86PSSoqE7Sw2cojfe7mi09
0yUnofc60P/qqQnfIjcreMSbRfd/GLUlDqDkCMle/d5bWY3oU9Zx5e9CDhnyX0rK
fRZqGRRzmUgLHw95I7X7D6Ddyvghxfz3EVMdBohjS7rzTmxhwkk=
=tX2/
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to