Bugzilla – Bug 1194470
VUL-0: CVE-2022-21944: watchman: chown in watchman@.socket unit allows symlink attack
Last modified: 2022-05-17 13:23:02 UTC
The somewhat peculiar systemd integration of watchman caused me to create a security issue in the watchman@.socket unit: ``` ExecStartPost=/usr/bin/chown %i:users /run/watchman/%i-state ``` /run/watchman is a public sticky-bit directory with mode 1777. The problem here is that watchman should continue working as normal on the command line without using systemd. This means that an unprivileged watchman instance must be able to create /run/watchman/$USER-state. This is why /run/watchman is a public sticky-bit directory. The systemd socket unit on the other hand must be able to create the socket *and* the intermediate directory if the socket unit is started. The intermediate directory needs to have the correct permissions. The chown line above means, however, that if the unprivileged user places a symlink into /run/watchman/$USER-state, that the chown will follow that symlink and e.g. give ownership of /etc to the unprivileged user. I am currently working on an update for Factory that fixes this. Since this is SUSE packaging specific we'll need one of our SUSE CNA CVEs for this. Watchman is also in Leap so some maintenance updates are in order there.
Please use CVE-2022-21944
The new approach is to call a ExecStartPre script as the unprivileged user. This script will create the state directory in a safe-ish way. The sticky bit directory is shaky for this purpose but I don't see a simple way around that.
This is an autogenerated message for OBS integration: This bug (1194470) was mentioned in https://build.opensuse.org/request/show/945357 Factory / watchman
15.2 is eol... but can you also submit to openSUSE:Backports:SLE-15-SP3:Update/watchman for Leap 15.3 and PackageHub 15-sp3 and optionally to openSUSE:Backports:SLE-15-SP1:Update/watchman openSUSE:Backports:SLE-15-SP2:Update/watchman
This is an autogenerated message for OBS integration: This bug (1194470) was mentioned in https://build.opensuse.org/request/show/945580 15.2 / watchman
This is an autogenerated message for OBS integration: This bug (1194470) was mentioned in https://build.opensuse.org/request/show/946942 Backports:SLE-15-SP3 / watchman
An update is now out towards Backports:SLE-15-SP3 which should also cover Leap 15.3. If further updates are required for Backports:SLE-15-SP{1,2} then please tell me. Leaving it to reactive security to close this bug if all is cared for.
openSUSE-SU-2022:0016-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1181400,1194470 CVE References: CVE-2022-21944 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): watchman-4.9.0-bp153.2.3.1
All codestreams should be fixed. Reactive security gave green light to close this.