Bug 1182407 (CVE-2021-31997)

Summary: VUL-0: CVE-2021-31997: python-postorius: postorius-permissions.sh used during %post allows local privilege escalation from postorius user to root
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Andreas Schneider <asn>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jsegitz, mcepl, mmachova, mrueckert, pgajdos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1180875    

Description Matthias Gerstner 2021-02-18 09:29:08 UTC 
+++ This bug was initially created as a clone of Bug #1182373

We are currently reviewing checked-in scripts and sources in OBS for security
issues.

In python-postorius the script postorius-permissions.sh is installed along
with the package and is also invoked in the %post section of the
postorius-web package.

In particular this script performs recursive ownership changes and ACL
settings as root on user controlled directories in /var/lib/postorius/data and
/var/log/postorius.

Since these directories are owned by the postorius and/or postorius-admin
users they can stage symlink attacks to pass ownership of arbitrary files in
the system to themselves. A compromised postorius or postorius-admin account
might therefore be able to perform a local root exploit.

Please perform safe operations here. For example:

- only perform the changes in ownership if the ownership does *not* match i.e.
  don't do it unconditionally.
- pass ownership of the root directory last.
- pass switches like -P to setfacl and -h to chown to make it not follow
  symbolic links.
- using `setpriv` or `su` to drop privileges to the owner of the root of the
  directory tree.

This script is very similar to the one in python-HyperKitty bsc#1182373. It
appears to be SUSE specific.
Comment 1 Matthias Gerstner 2021-04-01 11:23:09 UTC 
Internal CRD: 2021-05-19 or earlier
Comment 2 Johannes Segitz 2021-05-04 08:17:23 UTC 
Please have a look at this. You can reach out to us if you need additional help fixing this. Thank you
Comment 3 Andreas Schneider 2021-05-04 08:24:49 UTC 
Please fix it if you have the time.
Comment 4 Matthias Gerstner 2021-05-17 09:48:53 UTC 
(In reply to asn@cryptomilk.org from comment #3)
> Please fix it if you have the time.

The security team cannot maintain custom scripts for you. There are hundreds
of them in openSUSE:Factory alone and we have enough work on our hands just to
monitor them.

You can either fix it or remove the script. If there is no submission until
the CRD is over then we will need to file a delete request for this package
for openSUSE:Factory and openSUSE:Leap:*. The same goes for bug 1182373.
Comment 5 Matthias Gerstner 2021-05-20 08:15:13 UTC 
CRD also crossed for this now. Publishing.
Comment 6 Johannes Segitz 2021-05-20 09:36:09 UTC 
Please use CVE-2021-31997 for this
Comment 7 Andreas Schneider 2021-05-25 19:31:55 UTC 
https://build.opensuse.org/request/show/895423
Comment 8 Matthias Gerstner 2021-06-22 11:59:16 UTC 
OBS sr#896998 for Factory is still in staging. This sr# removes the
permissions script completely. Leap:15.2 does not contain the script. Keeping
this bug open until the fix made its way to Factory.
Comment 9 Matthias Gerstner 2021-10-08 13:30:05 UTC 
(In reply to matthias.gerstner@suse.com from comment #8)
> OBS sr#896998 for Factory is still in staging. This sr# removes the
> permissions script completely. Leap:15.2 does not contain the script. Keeping
> this bug open until the fix made its way to Factory.

So the sr# got declined in Factory. I cannot make out the reason. The
problematic script is still in Factory. Could you please reiterate?
Comment 10 Matthias Gerstner 2022-01-03 10:57:58 UTC 
The package has been removed from Factory due to the unfixed issues. In Leap
15.2 an older version without the script in question still exists. Therefore
closing this bug as WONTFIX until further notice.