Bugzilla – Bug 1157703
VUL-0: CVE-2019-18899: apt-cacher-ng: apt-cacher-ng runs as root, insecure use of /run/apt-cacher-ng
Last modified: 2020-05-13 08:15:20 UTC
A serious finding from bug 1150532. In our package apt-cacher-ng runs as root. The /run/apt-cacher-ng directory is owned by an unprivileged user, however: $ ls -lhd /run/apt-cacher-ng drwxr-xr-x 2 apt-cacher-ng apt-cacher-ng 80 25. Nov 15:30 /run/apt-cacher-ng/ The apt-cacher-ng daemon creates at least two files in there, a pid file and a socket file. The apt-cacher-ng unprivileged user can therefore perform symlink attacks and cause damage to the system or otherwise unspecified impact. Both files are created in a racy way by the apt-cacher-ng daemon. The problem stems from the apt-cacher-ng.service file which is not coming from upstream but from our own packaging in OBS. On Debian they use the right approach by adding the following two directives to the file: ``` User=apt-cacher-ng Group=apt-cacher-ng ``` This finding is worth a CVE, we will need to assign one from our own SUSE CVE pool for this since it is SUSE specific.
So this SUSE specific bug needs to be carefully adressed. Reducing permissions in an update is a difficile thing to do. We need to make sure that no regressions occur. No official maintainer is left for apt-cacher-ng. We're considering to remove it from Factory, but it's still in maintained state for SLE-15 and SLE-15-SP1 backports. The question also is whether there's a customer requirement for this being in SLE, then removing it from Factory could become difficult.
Please use CVE-2019-18899 to track this
Since bug 1157706 which also affects upstream is already public we can now simply act for this bug, too. Similarly to what I wrote in the other bug, no maintainer is to be found for this package in openSUSE. Therefore the following will happen: - a delete request will be filed for Factory - a maintenance update with emergency fixes will be submitted to maintained Leap codestreams.
This is an autogenerated message for OBS integration: This bug (1157703) was mentioned in https://build.opensuse.org/request/show/765843 15.1 / apt-cacher-ng
I've published this on oss-sec [1]. [1]: https://seclists.org/oss-sec/2020/q1/22
openSUSE-SU-2020:0124-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1157703,1157706 CVE References: CVE-2019-18899,CVE-2020-5202 Sources used: openSUSE Leap 15.1 (src): apt-cacher-ng-3.1-lp151.3.3.1
openSUSE-SU-2020:0146-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1157703,1157706 CVE References: CVE-2019-18899,CVE-2020-5202 Sources used: openSUSE Backports SLE-15-SP1 (src): apt-cacher-ng-3.1-bp151.4.3.1
reassigning to security-team, this should be done by now
Done