From fd470b54bc98736e78a110da8346d9190bd8bae8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 23 Jan 2018 16:50:37 +0100 Subject: [PATCH] Resolves: CVE-2017-18018 - doc: warn about following symlinks recursively in chown/chgrp --- coreutils-8.29-CVE-2017-18018.patch | 124 ++++++++++++++++++++++++++++ coreutils.spec | 4 + 2 files changed, 128 insertions(+) create mode 100644 coreutils-8.29-CVE-2017-18018.patch diff --git a/coreutils-8.29-CVE-2017-18018.patch b/coreutils-8.29-CVE-2017-18018.patch new file mode 100644 index 0000000..577c90b --- /dev/null +++ b/coreutils-8.29-CVE-2017-18018.patch @@ -0,0 +1,124 @@ +From 0aa9b0a92cb61af76b75b57abfd6ea1a7c627367 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Thu, 28 Dec 2017 15:52:42 -0500 +Subject: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults + +* doc/coreutils.texi: the documentation for the --dereference + flag of chown/chgrp states that it is the default mode of + operation. Document that this is only the case when operating + non-recursively. + +Upstream-commit: 7597cfa482e42a00a69fb9577ee523762980a9a2 +Signed-off-by: Kamil Dudka +--- + doc/coreutils.texi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/coreutils.texi b/doc/coreutils.texi +index de1f2eb..de06c0f 100644 +--- a/doc/coreutils.texi ++++ b/doc/coreutils.texi +@@ -10989,7 +10989,7 @@ chown -h -R --from=OLDUSER NEWUSER / + @cindex symbolic links, changing owner + @findex lchown + Do not act on symbolic links themselves but rather on what they point to. +-This is the default. ++This is the default when not operating recursively. + + @item -h + @itemx --no-dereference +@@ -11119,7 +11119,7 @@ changed. + @cindex symbolic links, changing owner + @findex lchown + Do not act on symbolic links themselves but rather on what they point to. +-This is the default. ++This is the default when not operating recursively. + + @item -h + @itemx --no-dereference +-- +2.13.6 + + +From 3fb331864c718e065804049001b573ff94810772 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Thu, 4 Jan 2018 11:38:21 -0500 +Subject: [PATCH 2/2] doc: warn about following symlinks recursively in + chown/chgrp + +In both chown and chgrp (which shares its code with chown), operating +on symlinks recursively has a window of vulnerability where the +destination user or group can change the target of the operation. +Warn about combining the --dereference, --recursive, and -L flags. + +* doc/coreutils.texi (warnOptDerefWithRec): Add macro. +(node chown invocation): Add it to --dereference and -L. +(node chgrp invocation): Likewise. + +See also: CVE-2017-18018 + +Upstream-commit: bc2fd9796403e03bb757b064d44c22fab92e6842 +Signed-off-by: Kamil Dudka +--- + doc/coreutils.texi | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/doc/coreutils.texi b/doc/coreutils.texi +index de06c0f..24cc85b 100644 +--- a/doc/coreutils.texi ++++ b/doc/coreutils.texi +@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it. + In a recursive traversal, traverse every symbolic link to a directory + that is encountered. + @end macro ++ ++@c Append the following warning to -L where appropriate (e.g. chown). ++@macro warnOptDerefWithRec ++ ++Combining this dereferencing option with the @option{--recursive} option ++may create a security risk: ++During the traversal of the directory tree, an attacker may be able to ++introduce a symlink to an arbitrary target; when the tool reaches that, ++the operation will be performed on the target of that symlink, ++possibly allowing the attacker to escalate privileges. ++ ++@end macro ++ + @choptL + + @macro choptP +@@ -10990,6 +11003,7 @@ chown -h -R --from=OLDUSER NEWUSER / + @findex lchown + Do not act on symbolic links themselves but rather on what they point to. + This is the default when not operating recursively. ++@warnOptDerefWithRec + + @item -h + @itemx --no-dereference +@@ -11046,6 +11060,7 @@ Recursively change ownership of directories and their contents. + @xref{Traversing symlinks}. + + @choptL ++@warnOptDerefWithRec + @xref{Traversing symlinks}. + + @choptP +@@ -11120,6 +11135,7 @@ changed. + @findex lchown + Do not act on symbolic links themselves but rather on what they point to. + This is the default when not operating recursively. ++@warnOptDerefWithRec + + @item -h + @itemx --no-dereference +@@ -11175,6 +11191,7 @@ Recursively change the group ownership of directories and their contents. + @xref{Traversing symlinks}. + + @choptL ++@warnOptDerefWithRec + @xref{Traversing symlinks}. + + @choptP +-- +2.13.6 + diff --git a/coreutils.spec b/coreutils.spec index 6076b43..210a13f 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -17,6 +17,9 @@ Source106: coreutils-colorls.csh # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.29-9-g29baf25aa Patch1: coreutils-8.29-mv-n-noreplace.patch +# doc: warn about following symlinks recursively in chown/chgrp (CVE-2017-18018) +Patch2: coreutils-8.29-CVE-2017-18018.patch + # disable the test-lock gnulib test prone to deadlock Patch100: coreutils-8.26-test-lock.patch @@ -278,6 +281,7 @@ fi %changelog * Tue Jan 23 2018 Kamil Dudka - 8.29-2 +- doc: warn about following symlinks recursively in chown/chgrp (CVE-2017-18018) - mv -n: do not overwrite the destination * Tue Jan 02 2018 Kamil Dudka - 8.29-1