Date: Thu, 4 Jul 2019 14:59:14 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: deepin-clone: various symlink attacks Hello, deepin-clone  is a command line and graphical disk backup utility that is part of the deepin desktop environment (a desktop environment focused on Chinese users). In the course of a review  of polkit privileges used by the application the following major security issues have been found: CVE-2019-13227) in GUI mode deepin-clone creates `/tmp/.deepin-clone.log` as root and follows symlinks there. CVE-2019-13226) `Helper::temporaryMountDevice()` uses a predictable path `/tmp/.deepin-clone/mount/<block-dev-basename>` to temporarily mount a file system there. These paths can be prepared by an attacker and symlinks will be followed during mounting. If the attacker wins a race condition by quickly entering the mount point then it can also prevent the following unmount. This logic can e.g. be triggered by running `deepin-clone -i /dev/sdX`. An attacker can thus cause the file system to be permanently mounted at an arbitrary location in the file system. CVE-2019-13229) `Helper::getPartitionSizeInfo()` uses /tmp/partclone.log as a fixed path during execution of partclone. The same issues about symlink attacks etc. like in 1) apply here. CVE-2019-13228) similarly in `BootDoctor::fix()` the fixed path `/tmp/repo.iso` is created and the fixed directory /tmp/.deepin-clone is used. The same concerns as in 1) and 3) apply. By winning a race condition to replace the `/tmp/repo.iso` symlink by an attacker controlled iso file further privilege escalation may be possible. The issues have been fixed via the upstream commit . Best Regards Matthias : https://github.com/linuxdeepin/deepin-clone : https://bugzilla.suse.com/show_bug.cgi?id=1130388 : https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nuernberg) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.