Bug 1170178

Summary: AUDIT-FIND: enlightenment: enlightenment_system: ecore_file_app_installed(): can be tricked into returning bogus results
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Simon Lees <simonf.lees>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: matthias.gerstner, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1169238    

Description Matthias Gerstner 2020-04-22 10:02:03 UTC 
+++ This bug was initially created as a clone of Bug #1169238

i) `ecore_file_app_installed()` can be tricked into returning bogus results

Various calls to `ecore_file_app_installed()` are performed in the context of
the setuid-root binary. This function performs a direct check for the
existence of the given filename before checking the directories found in the
PATH environment variable.

Since the CWD is controlled by a potential attacker (see g)), the attacker can
place arbitrary files named like the searched binaries in the CWD. As a
result the `ecore_file_app_installed()` will returns bogus results. I couldn't
find any way to exploit this fact in the context of the setuid-root binary,
however.

I suggest *not* to check the CWD in `ecore_file_app_installed()` installed. If
the CWD should be checked then the PATH environment variable should contain
"." instead.
Comment 1 Simon Lees 2020-04-22 11:10:32 UTC 
Upstream: https://phab.enlightenment.org/T8678
Comment 3 Matthias Gerstner 2020-04-30 13:47:47 UTC 
Well the upstream fix is not exactly what I had in mind. But as the upstream
comment says the actual attack vector is already fixed by setting the CWD in
the setuid-root binary.
Comment 4 Matthias Gerstner 2020-05-22 10:25:12 UTC 
Closing as fixed.