Bugzilla – Bug 1182407
VUL-0: CVE-2021-31997: python-postorius: postorius-permissions.sh used during %post allows local privilege escalation from postorius user to root
Last modified: 2022-01-03 10:57:58 UTC
+++ This bug was initially created as a clone of Bug #1182373
We are currently reviewing checked-in scripts and sources in OBS for security
In python-postorius the script postorius-permissions.sh is installed along
with the package and is also invoked in the %post section of the
In particular this script performs recursive ownership changes and ACL
settings as root on user controlled directories in /var/lib/postorius/data and
Since these directories are owned by the postorius and/or postorius-admin
users they can stage symlink attacks to pass ownership of arbitrary files in
the system to themselves. A compromised postorius or postorius-admin account
might therefore be able to perform a local root exploit.
Please perform safe operations here. For example:
- only perform the changes in ownership if the ownership does *not* match i.e.
don't do it unconditionally.
- pass ownership of the root directory last.
- pass switches like -P to setfacl and -h to chown to make it not follow
- using `setpriv` or `su` to drop privileges to the owner of the root of the
This script is very similar to the one in python-HyperKitty bsc#1182373. It
appears to be SUSE specific.
Internal CRD: 2021-05-19 or earlier
Please have a look at this. You can reach out to us if you need additional help fixing this. Thank you
Please fix it if you have the time.
(In reply to firstname.lastname@example.org from comment #3)
> Please fix it if you have the time.
The security team cannot maintain custom scripts for you. There are hundreds
of them in openSUSE:Factory alone and we have enough work on our hands just to
You can either fix it or remove the script. If there is no submission until
the CRD is over then we will need to file a delete request for this package
for openSUSE:Factory and openSUSE:Leap:*. The same goes for bug 1182373.
CRD also crossed for this now. Publishing.
Please use CVE-2021-31997 for this
OBS sr#896998 for Factory is still in staging. This sr# removes the
permissions script completely. Leap:15.2 does not contain the script. Keeping
this bug open until the fix made its way to Factory.
(In reply to email@example.com from comment #8)
> OBS sr#896998 for Factory is still in staging. This sr# removes the
> permissions script completely. Leap:15.2 does not contain the script. Keeping
> this bug open until the fix made its way to Factory.
So the sr# got declined in Factory. I cannot make out the reason. The
problematic script is still in Factory. Could you please reiterate?
The package has been removed from Factory due to the unfixed issues. In Leap
15.2 an older version without the script in question still exists. Therefore
closing this bug as WONTFIX until further notice.