Resolves: CVE-2017-18018 - doc: warn about following symlinks recursively in chown/chgrp
This commit is contained in:
		
							parent
							
								
									79fe59c7fc
								
							
						
					
					
						commit
						fd470b54bc
					
				
							
								
								
									
										124
									
								
								coreutils-8.29-CVE-2017-18018.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								coreutils-8.29-CVE-2017-18018.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,124 @@ | |||||||
|  | From 0aa9b0a92cb61af76b75b57abfd6ea1a7c627367 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Michael Orlitzky <michael@orlitzky.com> | ||||||
|  | Date: Thu, 28 Dec 2017 15:52:42 -0500 | ||||||
|  | Subject: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults | ||||||
|  | 
 | ||||||
|  | * doc/coreutils.texi: the documentation for the --dereference | ||||||
|  |   flag of chown/chgrp states that it is the default mode of | ||||||
|  |   operation. Document that this is only the case when operating | ||||||
|  |   non-recursively. | ||||||
|  | 
 | ||||||
|  | Upstream-commit: 7597cfa482e42a00a69fb9577ee523762980a9a2 | ||||||
|  | Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||||
|  | ---
 | ||||||
|  |  doc/coreutils.texi | 4 ++-- | ||||||
|  |  1 file changed, 2 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/coreutils.texi b/doc/coreutils.texi
 | ||||||
|  | index de1f2eb..de06c0f 100644
 | ||||||
|  | --- a/doc/coreutils.texi
 | ||||||
|  | +++ b/doc/coreutils.texi
 | ||||||
|  | @@ -10989,7 +10989,7 @@ chown -h -R --from=OLDUSER NEWUSER /
 | ||||||
|  |  @cindex symbolic links, changing owner | ||||||
|  |  @findex lchown | ||||||
|  |  Do not act on symbolic links themselves but rather on what they point to. | ||||||
|  | -This is the default.
 | ||||||
|  | +This is the default when not operating recursively.
 | ||||||
|  |   | ||||||
|  |  @item -h | ||||||
|  |  @itemx --no-dereference | ||||||
|  | @@ -11119,7 +11119,7 @@ changed.
 | ||||||
|  |  @cindex symbolic links, changing owner | ||||||
|  |  @findex lchown | ||||||
|  |  Do not act on symbolic links themselves but rather on what they point to. | ||||||
|  | -This is the default.
 | ||||||
|  | +This is the default when not operating recursively.
 | ||||||
|  |   | ||||||
|  |  @item -h | ||||||
|  |  @itemx --no-dereference | ||||||
|  | -- 
 | ||||||
|  | 2.13.6 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | From 3fb331864c718e065804049001b573ff94810772 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Michael Orlitzky <michael@orlitzky.com> | ||||||
|  | Date: Thu, 4 Jan 2018 11:38:21 -0500 | ||||||
|  | Subject: [PATCH 2/2] doc: warn about following symlinks recursively in | ||||||
|  |  chown/chgrp | ||||||
|  | 
 | ||||||
|  | In both chown and chgrp (which shares its code with chown), operating | ||||||
|  | on symlinks recursively has a window of vulnerability where the | ||||||
|  | destination user or group can change the target of the operation. | ||||||
|  | Warn about combining the --dereference, --recursive, and -L flags. | ||||||
|  | 
 | ||||||
|  | * doc/coreutils.texi (warnOptDerefWithRec): Add macro. | ||||||
|  | (node chown invocation): Add it to --dereference and -L. | ||||||
|  | (node chgrp invocation): Likewise. | ||||||
|  | 
 | ||||||
|  | See also: CVE-2017-18018 | ||||||
|  | 
 | ||||||
|  | Upstream-commit: bc2fd9796403e03bb757b064d44c22fab92e6842 | ||||||
|  | Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||||
|  | ---
 | ||||||
|  |  doc/coreutils.texi | 17 +++++++++++++++++ | ||||||
|  |  1 file changed, 17 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/coreutils.texi b/doc/coreutils.texi
 | ||||||
|  | index de06c0f..24cc85b 100644
 | ||||||
|  | --- a/doc/coreutils.texi
 | ||||||
|  | +++ b/doc/coreutils.texi
 | ||||||
|  | @@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
 | ||||||
|  |  In a recursive traversal, traverse every symbolic link to a directory | ||||||
|  |  that is encountered. | ||||||
|  |  @end macro | ||||||
|  | +
 | ||||||
|  | +@c Append the following warning to -L where appropriate (e.g. chown).
 | ||||||
|  | +@macro warnOptDerefWithRec
 | ||||||
|  | +
 | ||||||
|  | +Combining this dereferencing option with the @option{--recursive} option
 | ||||||
|  | +may create a security risk:
 | ||||||
|  | +During the traversal of the directory tree, an attacker may be able to
 | ||||||
|  | +introduce a symlink to an arbitrary target; when the tool reaches that,
 | ||||||
|  | +the operation will be performed on the target of that symlink,
 | ||||||
|  | +possibly allowing the attacker to escalate privileges.
 | ||||||
|  | +
 | ||||||
|  | +@end macro
 | ||||||
|  | +
 | ||||||
|  |  @choptL | ||||||
|  |   | ||||||
|  |  @macro choptP | ||||||
|  | @@ -10990,6 +11003,7 @@ chown -h -R --from=OLDUSER NEWUSER /
 | ||||||
|  |  @findex lchown | ||||||
|  |  Do not act on symbolic links themselves but rather on what they point to. | ||||||
|  |  This is the default when not operating recursively. | ||||||
|  | +@warnOptDerefWithRec
 | ||||||
|  |   | ||||||
|  |  @item -h | ||||||
|  |  @itemx --no-dereference | ||||||
|  | @@ -11046,6 +11060,7 @@ Recursively change ownership of directories and their contents.
 | ||||||
|  |  @xref{Traversing symlinks}. | ||||||
|  |   | ||||||
|  |  @choptL | ||||||
|  | +@warnOptDerefWithRec
 | ||||||
|  |  @xref{Traversing symlinks}. | ||||||
|  |   | ||||||
|  |  @choptP | ||||||
|  | @@ -11120,6 +11135,7 @@ changed.
 | ||||||
|  |  @findex lchown | ||||||
|  |  Do not act on symbolic links themselves but rather on what they point to. | ||||||
|  |  This is the default when not operating recursively. | ||||||
|  | +@warnOptDerefWithRec
 | ||||||
|  |   | ||||||
|  |  @item -h | ||||||
|  |  @itemx --no-dereference | ||||||
|  | @@ -11175,6 +11191,7 @@ Recursively change the group ownership of directories and their contents.
 | ||||||
|  |  @xref{Traversing symlinks}. | ||||||
|  |   | ||||||
|  |  @choptL | ||||||
|  | +@warnOptDerefWithRec
 | ||||||
|  |  @xref{Traversing symlinks}. | ||||||
|  |   | ||||||
|  |  @choptP | ||||||
|  | -- 
 | ||||||
|  | 2.13.6 | ||||||
|  | 
 | ||||||
| @ -17,6 +17,9 @@ Source106:  coreutils-colorls.csh | |||||||
| # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.29-9-g29baf25aa | # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.29-9-g29baf25aa | ||||||
| Patch1:   coreutils-8.29-mv-n-noreplace.patch | Patch1:   coreutils-8.29-mv-n-noreplace.patch | ||||||
| 
 | 
 | ||||||
|  | # doc: warn about following symlinks recursively in chown/chgrp (CVE-2017-18018) | ||||||
|  | Patch2:   coreutils-8.29-CVE-2017-18018.patch | ||||||
|  | 
 | ||||||
| # disable the test-lock gnulib test prone to deadlock | # disable the test-lock gnulib test prone to deadlock | ||||||
| Patch100: coreutils-8.26-test-lock.patch | Patch100: coreutils-8.26-test-lock.patch | ||||||
| 
 | 
 | ||||||
| @ -278,6 +281,7 @@ fi | |||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
| * Tue Jan 23 2018 Kamil Dudka <kdudka@redhat.com> - 8.29-2 | * Tue Jan 23 2018 Kamil Dudka <kdudka@redhat.com> - 8.29-2 | ||||||
|  | - doc: warn about following symlinks recursively in chown/chgrp (CVE-2017-18018) | ||||||
| - mv -n: do not overwrite the destination | - mv -n: do not overwrite the destination | ||||||
| 
 | 
 | ||||||
| * Tue Jan 02 2018 Kamil Dudka <kdudka@redhat.com> - 8.29-1 | * Tue Jan 02 2018 Kamil Dudka <kdudka@redhat.com> - 8.29-1 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user