Bugzilla – Bug 1170178
AUDIT-FIND: enlightenment: enlightenment_system: ecore_file_app_installed(): can be tricked into returning bogus results
Last modified: 2020-05-22 10:25:12 UTC
+++ This bug was initially created as a clone of Bug #1169238 i) `ecore_file_app_installed()` can be tricked into returning bogus results Various calls to `ecore_file_app_installed()` are performed in the context of the setuid-root binary. This function performs a direct check for the existence of the given filename before checking the directories found in the PATH environment variable. Since the CWD is controlled by a potential attacker (see g)), the attacker can place arbitrary files named like the searched binaries in the CWD. As a result the `ecore_file_app_installed()` will returns bogus results. I couldn't find any way to exploit this fact in the context of the setuid-root binary, however. I suggest *not* to check the CWD in `ecore_file_app_installed()` installed. If the CWD should be checked then the PATH environment variable should contain "." instead.
Upstream: https://phab.enlightenment.org/T8678
Fixed upstream: https://phab.enlightenment.org/rEFL56e2e21ae777434d718a262297a1e03cf2f565dc
Well the upstream fix is not exactly what I had in mind. But as the upstream comment says the actual attack vector is already fixed by setting the CWD in the setuid-root binary.
Closing as fixed.