Bug 1194470 (CVE-2022-21944)

Summary: VUL-0: CVE-2022-21944: watchman: chown in watchman@.socket unit allows symlink attack
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: rfrohl, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/319784/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Gerstner 2022-01-10 14:47:13 UTC 
The somewhat peculiar systemd integration of watchman caused me to create a
security issue in the watchman@.socket unit:

```
ExecStartPost=/usr/bin/chown %i:users /run/watchman/%i-state
```

/run/watchman is a public sticky-bit directory with mode 1777.

The problem here is that watchman should continue working as normal on the
command line without using systemd. This means that an unprivileged watchman
instance must be able to create /run/watchman/$USER-state. This is why
/run/watchman is a public sticky-bit directory.

The systemd socket unit on the other hand must be able to create the socket
*and* the intermediate directory if the socket unit is started. The
intermediate directory needs to have the correct permissions. The chown line
above means, however, that if the unprivileged user places a symlink into
/run/watchman/$USER-state, that the chown will follow that symlink and e.g.
give ownership of /etc to the unprivileged user.

I am currently working on an update for Factory that fixes this. Since this is
SUSE packaging specific we'll need one of our SUSE CNA CVEs for this.
Watchman is also in Leap so some maintenance updates are in order there.
Comment 1 Johannes Segitz 2022-01-10 14:50:07 UTC 
Please use CVE-2022-21944
Comment 2 Matthias Gerstner 2022-01-10 15:06:01 UTC 
The new approach is to call a ExecStartPre script as the unprivileged user.
This script will create the state directory in a safe-ish way. The sticky bit
directory is shaky for this purpose but I don't see a simple way around that.
Comment 3 OBSbugzilla Bot 2022-01-10 15:40:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1194470) was mentioned in
https://build.opensuse.org/request/show/945357 Factory / watchman
Comment 4 Marcus Meissner 2022-01-11 12:43:23 UTC 
15.2 is eol... but can you also submit to

openSUSE:Backports:SLE-15-SP3:Update/watchman   for Leap 15.3 and PackageHub 15-sp3

and optionally to
openSUSE:Backports:SLE-15-SP1:Update/watchman
openSUSE:Backports:SLE-15-SP2:Update/watchman
Comment 5 OBSbugzilla Bot 2022-01-11 13:00:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1194470) was mentioned in
https://build.opensuse.org/request/show/945580 15.2 / watchman
Comment 7 OBSbugzilla Bot 2022-01-17 12:40:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1194470) was mentioned in
https://build.opensuse.org/request/show/946942 Backports:SLE-15-SP3 / watchman
Comment 8 Matthias Gerstner 2022-01-17 13:02:49 UTC 
An update is now out towards Backports:SLE-15-SP3 which should also cover Leap
15.3. If further updates are required for Backports:SLE-15-SP{1,2} then please
tell me. Leaving it to reactive security to close this bug if all is cared
for.
Comment 9 Swamp Workflow Management 2022-01-17 23:19:25 UTC 
openSUSE-SU-2022:0016-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1181400,1194470
CVE References: CVE-2022-21944
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    watchman-4.9.0-bp153.2.3.1
Comment 10 Matthias Gerstner 2022-05-17 13:23:02 UTC 
All codestreams should be fixed. Reactive security gave green light to close
this.