Apologies for my long delay in dealing with these bugs, both reported by halfdog. Fixes turned out to be quite complicated, since in part they involved unwinding incorrect logic from nearly 20 years ago and ensuring that everything else built on that was appropriately adjusted.
Here are the relevant sections from my release announcement, which should appear at https://lists.nongnu.org/archive/html/man-db- announce/2016-12/msg00000.html in the near future: * SECURITY: Eliminate dangerous setgid-root directories. In the default configuration, cache files and directories are now owned by man:man rather than man:root; man and mandb are now setgid man as well as setuid man (except in the --disable-setuid case). This is a much simpler and safer solution to the original problem that caused my predecessor to make directories setgid root, and doesn't introduce any interesting new privilege since the man group's only real purpose is to be the man user's primary group and nothing in cache directories is group-writeable. Maintainers of distribution packagers should take care to review their installation rules in light of this change. As far as I know this has no CVE ID, but it is described here: http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ [...] Notes for distributors ====================== The security fix above was quite involved. If you're trying to backport it to a stable release, then you should probably consider at least these commits: e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions 9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings 0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from --enable-setuid option 94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply --disable-setuid 31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root directories 755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following cache-owner/setuid changes 75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man Feel free to contact me if you have difficulty. You should also consider http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/, which could not be fixed without fixing the above bug first; while this bug was in Debian-specific cron jobs, others may have copied them. I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities. I'd be happy to help out the Debian and Ubuntu security teams with backports if they need it, although hopefully the above list of git commits is enough to get started. ** Changed in: man-db (Ubuntu) Assignee: (unassigned) => Colin Watson (cjwatson) ** Changed in: man-db (Ubuntu) Importance: Medium => High ** Changed in: man-db (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
