Bug 1194470 - (CVE-2022-21944) VUL-0: CVE-2022-21944: watchman: chown in watchman@.socket unit allows symlink attack
(CVE-2022-21944)
VUL-0: CVE-2022-21944: watchman: chown in watchman@.socket unit allows symlin...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
https://smash.suse.de/issue/319784/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-10 14:47 UTC by Matthias Gerstner
Modified: 2022-05-17 13:23 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2022-01-10 14:47:13 UTC
The somewhat peculiar systemd integration of watchman caused me to create a
security issue in the watchman@.socket unit:

```
ExecStartPost=/usr/bin/chown %i:users /run/watchman/%i-state
```

/run/watchman is a public sticky-bit directory with mode 1777.

The problem here is that watchman should continue working as normal on the
command line without using systemd. This means that an unprivileged watchman
instance must be able to create /run/watchman/$USER-state. This is why
/run/watchman is a public sticky-bit directory.

The systemd socket unit on the other hand must be able to create the socket
*and* the intermediate directory if the socket unit is started. The
intermediate directory needs to have the correct permissions. The chown line
above means, however, that if the unprivileged user places a symlink into
/run/watchman/$USER-state, that the chown will follow that symlink and e.g.
give ownership of /etc to the unprivileged user.

I am currently working on an update for Factory that fixes this. Since this is
SUSE packaging specific we'll need one of our SUSE CNA CVEs for this.
Watchman is also in Leap so some maintenance updates are in order there.
Comment 1 Johannes Segitz 2022-01-10 14:50:07 UTC
Please use CVE-2022-21944
Comment 2 Matthias Gerstner 2022-01-10 15:06:01 UTC
The new approach is to call a ExecStartPre script as the unprivileged user.
This script will create the state directory in a safe-ish way. The sticky bit
directory is shaky for this purpose but I don't see a simple way around that.
Comment 3 OBSbugzilla Bot 2022-01-10 15:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1194470) was mentioned in
https://build.opensuse.org/request/show/945357 Factory / watchman
Comment 4 Marcus Meissner 2022-01-11 12:43:23 UTC
15.2 is eol... but can you also submit to

openSUSE:Backports:SLE-15-SP3:Update/watchman   for Leap 15.3 and PackageHub 15-sp3

and optionally to
openSUSE:Backports:SLE-15-SP1:Update/watchman
openSUSE:Backports:SLE-15-SP2:Update/watchman
Comment 5 OBSbugzilla Bot 2022-01-11 13:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1194470) was mentioned in
https://build.opensuse.org/request/show/945580 15.2 / watchman
Comment 7 OBSbugzilla Bot 2022-01-17 12:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1194470) was mentioned in
https://build.opensuse.org/request/show/946942 Backports:SLE-15-SP3 / watchman
Comment 8 Matthias Gerstner 2022-01-17 13:02:49 UTC
An update is now out towards Backports:SLE-15-SP3 which should also cover Leap
15.3. If further updates are required for Backports:SLE-15-SP{1,2} then please
tell me. Leaving it to reactive security to close this bug if all is cared
for.
Comment 9 Swamp Workflow Management 2022-01-17 23:19:25 UTC
openSUSE-SU-2022:0016-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1181400,1194470
CVE References: CVE-2022-21944
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    watchman-4.9.0-bp153.2.3.1
Comment 10 Matthias Gerstner 2022-05-17 13:23:02 UTC
All codestreams should be fixed. Reactive security gave green light to close
this.