Detections
Analytics

GLSA-200404-01 : Insecure sandbox temporary lockfile vulnerabilities in Portage

medium Nessus Plugin ID 14466

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200404-01 (Insecure sandbox temporary lockfile vulnerabilities in Portage)

 A flaw in Portage's sandbox wrapper has been found where the temporary lockfiles are subject to a hard-link attack which allows linkable files to be overwritten to an empty file. This can be used to damage critical files on a system causing a Denial of Service, or alternatively this attack may be used to cause other security risks; for example firewall configuration data could be overwritten without notice.
 The vulnerable sandbox functions have been patched to test for these new conditions: namely; for the existence of a hard-link which would be removed before the sandbox process would continue, for the existence of a world-writable lockfile in which case the sandbox would also remove it, and also for any mismatches in the UID ( anything but root ) and the GID ( anything but the group of the sandbox process ).
 If the vulnerable files cannot be removed by the sandbox, then the sandbox would exit with a fatal error warning the administrator of the issue. The patched functions also fix any other sandbox I/O operations which do not explicitly include the mentioned lockfile.
 Impact :

 Any user with write access to the /tmp directory can hard-link a file to /tmp/sandboxpids.tmp - this file would eventually be replaced with an empty one; effectively wiping out the file it was linked to as well with no prior warning. This could be used to potentially disable a vital component of the system and cause a path for other possible exploits.
 This vulnerability only affects systems that have /tmp on the root partition: since symbolic link attacks are filtered, /tmp has to be on the same partition for an attack to take place.
 Workaround :

 A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.

Solution

Users should upgrade to Portage 2.0.50-r3 or later:
 # emerge sync # emerge -pv '>=sys-apps/portage-2.0.50-r3' # emerge '>=sys-apps/portage-2.0.50-r3'

See Also

https://security.gentoo.org/glsa/200404-01

Plugin Details

Severity: Medium

ID: 14466

File Name: gentoo_GLSA-200404-01.nasl

Version: 1.14

Type: local

Published: 8/30/2004

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:portage, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 4/4/2004

Reference Information

GLSA: 200404-01