GLSA-200404-01 : Insecure sandbox temporary lockfile vulnerabilities in Portage

This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200404-01
(Insecure sandbox temporary lockfile vulnerabilities in Portage)

A flaw in Portage's sandbox wrapper has been found where the temporary
lockfiles are subject to a hard-link attack which allows linkable files to
be overwritten to an empty file. This can be used to damage critical files
on a system causing a Denial of Service, or alternatively this attack may
be used to cause other security risks; for example firewall configuration
data could be overwritten without notice.
The vulnerable sandbox functions have been patched to test for these new
conditions: namely; for the existence of a hard-link which would be removed
before the sandbox process would continue, for the existence of a
world-writable lockfile in which case the sandbox would also remove it, and
also for any mismatches in the UID ( anything but root ) and the GID (
anything but the group of the sandbox process ).
If the vulnerable files cannot be removed by the sandbox, then the sandbox
would exit with a fatal error warning the administrator of the issue. The
patched functions also fix any other sandbox I/O operations which do not
explicitly include the mentioned lockfile.

Impact :

Any user with write access to the /tmp directory can hard-link a file to
/tmp/sandboxpids.tmp - this file would eventually be replaced with an empty
one; effectively wiping out the file it was linked to as well with no prior
warning. This could be used to potentially disable a vital component of the
system and cause a path for other possible exploits.
This vulnerability only affects systems that have /tmp on the root
partition: since symbolic link attacks are filtered, /tmp has to be on the
same partition for an attack to take place.

Workaround :

A workaround is not currently known for this issue. All users are advised
to upgrade to the latest version of the affected package.

See also :

https://security.gentoo.org/glsa/200404-01

Solution :

Users should upgrade to Portage 2.0.50-r3 or later:
# emerge sync
# emerge -pv '>=sys-apps/portage-2.0.50-r3'
# emerge '>=sys-apps/portage-2.0.50-r3'

Risk factor :

Medium

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14466 (gentoo_GLSA-200404-01.nasl)

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now