Bugzilla – Bug 1182407
VUL-0: CVE-2021-31997: python-postorius: postorius-permissions.sh used during %post allows local privilege escalation from postorius user to root
Last modified: 2022-01-03 10:57:58 UTC
+++ This bug was initially created as a clone of Bug #1182373 We are currently reviewing checked-in scripts and sources in OBS for security issues. In python-postorius the script postorius-permissions.sh is installed along with the package and is also invoked in the %post section of the postorius-web package. In particular this script performs recursive ownership changes and ACL settings as root on user controlled directories in /var/lib/postorius/data and /var/log/postorius. Since these directories are owned by the postorius and/or postorius-admin users they can stage symlink attacks to pass ownership of arbitrary files in the system to themselves. A compromised postorius or postorius-admin account might therefore be able to perform a local root exploit. Please perform safe operations here. For example: - only perform the changes in ownership if the ownership does *not* match i.e. don't do it unconditionally. - pass ownership of the root directory last. - pass switches like -P to setfacl and -h to chown to make it not follow symbolic links. - using `setpriv` or `su` to drop privileges to the owner of the root of the directory tree. This script is very similar to the one in python-HyperKitty bsc#1182373. It appears to be SUSE specific.
Internal CRD: 2021-05-19 or earlier
Please have a look at this. You can reach out to us if you need additional help fixing this. Thank you
Please fix it if you have the time.
(In reply to asn@cryptomilk.org from comment #3) > Please fix it if you have the time. The security team cannot maintain custom scripts for you. There are hundreds of them in openSUSE:Factory alone and we have enough work on our hands just to monitor them. You can either fix it or remove the script. If there is no submission until the CRD is over then we will need to file a delete request for this package for openSUSE:Factory and openSUSE:Leap:*. The same goes for bug 1182373.
CRD also crossed for this now. Publishing.
Please use CVE-2021-31997 for this
https://build.opensuse.org/request/show/895423
OBS sr#896998 for Factory is still in staging. This sr# removes the permissions script completely. Leap:15.2 does not contain the script. Keeping this bug open until the fix made its way to Factory.
(In reply to matthias.gerstner@suse.com from comment #8) > OBS sr#896998 for Factory is still in staging. This sr# removes the > permissions script completely. Leap:15.2 does not contain the script. Keeping > this bug open until the fix made its way to Factory. So the sr# got declined in Factory. I cannot make out the reason. The problematic script is still in Factory. Could you please reiterate?
The package has been removed from Factory due to the unfixed issues. In Leap 15.2 an older version without the script in question still exists. Therefore closing this bug as WONTFIX until further notice.