Date: Fri, 2 Dec 2016 11:43:08 +0100 From: Sébastien Delafond <seb@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE request: 2 issues in tomcat8 Debian packaging Hello, the Debian security team would like to requests 2 CVEs, for issues discovered by Paul Szabo in the tomcat8 Debian packaging. * Privilege escalation when upgrading tomcat8 package https://bugs.debian.org/845393 > Having installed tomcat8, the directory /etc/tomcat8/Catalina is > set writable by group tomcat8, as per the postinst script. Then > the tomcat8 user, in the situation envisaged in DSA-3670 and > DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 > could use something like commands > > mv /etc/tomcat8/Catalina/localhost /tmp/ > ln -s /etc/shadow /etc/tomcat8/Catalina/localhost > > to create a symlink. > > Then when the tomcat8 package is upgraded (e.g. for the next DSA), > the postinst script runs > > chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost > > and that will make the /etc/shadow file world-readable (and > group-writable). Other useful attacks might be to make the > objects: > > /root/.Xauthority > /etc/ssh/ssh_host_dsa_key > > world-readable; or make something (already owned by group tomcat8) > group-writable (some "policy" setting maybe?). * Privilege escalation when removing tomcat8 package https://bugs.debian.org/845395 > Having installed tomcat8, the directory > /etc/tomcat8/Catalina is set writable by group tomcat8, as > per the postinst script. Then the tomcat8 user, in the > situation envisaged in DSA-3670 and DSA-3720, see also > http://seclists.org/fulldisclosure/2016/Oct/4 > > could use something like commands > > touch /etc/tomcat8/Catalina/attack > chmod 2747 /etc/tomcat8/Catalina/attack > > Then if the tomcat8 package is removed (purged?), the > postrm script runs > > chown -Rhf root:root /etc/tomcat8/ > > and that will leave the file world-writable, setgid root: > > # ls -l /etc/tomcat8/Catalina/attack > -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack > > allowing "group root" access to the world. Cheers, --Seb
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ