A serious security issue in paludis was brought to my attention recently, and I feel I should make you all aware. Apparently someone, with root access to a machine, can gain root access by installing or editing paludis config files.
For those interested, this is how it happened (times are GMT+1):
22:34 <@ferdy> bonsaikitten: can you give me any details regarding that security bug in paludis? 22:35 <+bonsaikitten> ferdy: it's so obvious you should have found it already 22:37 <@ferdy> bonsaikitten: I should, but I probably haven't 22:37 <+bonsaikitten> ferdy: well, as I am a moron I'm unable to coherently explain :) 22:37 <@ferdy> bonsaikitten: I mean, depends on whether we are talking about a real security issue or about something we should document to avoid people shooting themselves in the foot 22:39 <@ferdy> bonsaikitten: is that all you are going to tell me? 22:39 <+bonsaikitten> ferdy: come on, it's obvious. You're supposed to be smart ... 22:39 * bonsaikitten is not in a mood to explain 22:40 <@ferdy> bonsaikitten: you aren't really talking about the paludisbuild issue, are you? 22:41 <+bonsaikitten> mmh no, that's a different one 22:41 <@ferdy> k 22:41 <@ferdy> bonsaikitten: what are we talking about? 22:42 <@ferdy> bonsaikitten: you don't need to explain it... just say, in general terms, what the issue is 22:50 <@ferdy> bonsaikitten: so? care to give any useful hint? 22:50 <+bonsaikitten> ferdy: doesn't happen in portage compatibility mode 22:51 <+bonsaikitten> but I blame the vodka, hard to explain when *burp* *giggle* 22:52 <@ferdy> bonsaikitten: what's the impact? 22:53 <+bonsaikitten> ferdy: depends on how annoying the other person is 22:54 <+bonsaikitten> ferdy: worst case random file modification 22:58 <@ferdy> bonsaikitten: and we already agreed that we aren't talking about the paludisbuild issue, right? 22:59 <@ferdy> bonsaikitten: if we aren't, I'll need more hints.... 23:05 <@ferdy> bonsaikitten: can I get an attack vector? 23:05 <@ferdy> that shouldn't need lots of explaining... I can figure out that part myself 23:19 <@ferdy> bonsaikitten: have you got that attack vector for me? 23:24 <+bonsaikitten> ferdy: look at configuration files, maybe you notice that there's some exquisit code execution possible there 23:29 <@ferdy> bonsaikitten: you mean those config files that only root can edit? I must be missing something here 23:29 <+bonsaikitten> ferdy: you are :) 23:29 <+bonsaikitten> not much, and it's basically the same flaw bashrc is for portage 23:29 <+bonsaikitten> only that bashrc is config_protect'ed ... 23:30 <@ferdy> bonsaikitten: but for a package to clover those files, it must be in a repo root added, right? 23:31 <+bonsaikitten> someone in the package mangler group, but yes 23:35 <@ferdy> bonsaikitten: but if you can change those files in the first place, why clover them by adding a malicious repo with a malicious package that changes those files? 23:35 <+bonsaikitten> ferdy: because it's very subtle 23:36 <@ferdy> moreover, if you can already do that, why not just make the package install whatever backdoor you want? 23:37 <@ferdy> I mean, it is subtle, but why would anyone go the 'convoluted' route? he is already able to edit those files (since he had to add that repo) 23:38 <+bonsaikitten> 'cause only paludis is affected and you will find it very hard to trace 23:38 <+bonsaikitten> that makes it so tempting ... 23:40 <+bonsaikitten> just don't be surprised if it suddenly unmerges itself :) 23:41 <@ferdy> yeah... well... 23:41 <@ferdy> bonsaikitten: mind if I disclose this vulnerability in planet.gentoo.org? 23:42 <+bonsaikitten> go ahead 23:42 <@ferdy> ta 23:42 <+bonsaikitten> 't is even on the features page of the package mangler :)
This is a good lesson to learn today:
If you can edit files owned by root in a machine, you can get root access to that machine.
So the bottom line is: There is no vulnerability, if you can mangle paludis config files, you are already root so you don’t need to edit a file to run any command you want. Another lesson one can learn by reading that log is how to be really cooperative.
Ah, and before someone with a need to use cheap psychology asks, the intention of this blag post is to stop the FUD.
– ferdy