Date: Mon, 20 Jan 2020 15:50:28 +0100 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng runs the daemon as root instead of as an unprivileged user Hi, apt-cacher-ng is a caching proxy for downloading packages from Debian-style software repositories . In the course of a code review of apt-cacher-ng I noticed a mismatch between upstream configuration and the configuration used in the openSUSE packaging. While the upstream configuration expects the daemon to run as the apt-cacher-ng unprivileged user, the openSUSE packaging ships a diverging systemd service unit configuration, causing the apt-cacher-ng daemon to be running as the root user. Apart from a generally increased attack surface by not lowering privileges this causes the following security issue: Although the openSUSE packaging for apt-cacher-ng doesn't employ the unprivileged apt-cacher-ng user, it still creates it in the system. The directory /run/apt-cacher-ng is created for the apt-cacher-ng user via a systemd-tmpfiles configuration file from the upstream sources. This results in the apt-cacher-ng daemon running as root, which handles files in /run/apt-cacher-ng which is owned by the apt-cacher-ng user. The daemon correctly assumes that this directory is safe to handle without precautions, but this assumption is broken by the bad packaging. Therefore a compromised apt-cacher-ng user account can perform symlink attacks in /run/apt-cacher-ng to cause writes to privileged file system locations by root, once the apt-cacher-ng service is (re)started. Furthermore the socket path /run/apt-cacher-ng/socket can be replaced by an attacker owned socket, thereby allowing him to hijack privileged client connections to apt-cacher-ng. Additional unexplored security issues could be possible. An update for the broken packaging will be supplied for openSUSE Leap 15.1. Furthermore, since there is no active maintainer for the package in openSUSE, the apt-cacher-ng package is removed from the openSUSE:Factory project and thus from the openSUSE Tumbleweed rolling release distribution in the future. : https://wiki.debian.org/AptCacherNg Cheers Matthias -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.