Resolves: CVE-2017-18018 - doc: warn about following symlinks recursively in chown/chgrp

2018-01-23 16:50:37 +01:00 · 2018-01-23 16:50:37 +01:00 · fd470b54bc
parent 79fe59c7fc
commit fd470b54bc
2 changed files with 128 additions and 0 deletions
--- a/coreutils-8.29-CVE-2017-18018.patch
+++ b/coreutils-8.29-CVE-2017-18018.patch
@ -0,0 +1,124 @@
+From 0aa9b0a92cb61af76b75b57abfd6ea1a7c627367 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 28 Dec 2017 15:52:42 -0500
+Subject: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults
+
+* doc/coreutils.texi: the documentation for the --dereference
+  flag of chown/chgrp states that it is the default mode of
+  operation. Document that this is only the case when operating
+  non-recursively.
+
+Upstream-commit: 7597cfa482e42a00a69fb9577ee523762980a9a2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ doc/coreutils.texi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index de1f2eb..de06c0f 100644
+--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
+@@ -10989,7 +10989,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
+This is the default when not operating recursively.
+ 
+ @item -h
+ @itemx --no-dereference
+@@ -11119,7 +11119,7 @@ changed.
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
+This is the default when not operating recursively.
+ 
+ @item -h
+ @itemx --no-dereference
+-- 
+2.13.6
+
+
+From 3fb331864c718e065804049001b573ff94810772 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 4 Jan 2018 11:38:21 -0500
+Subject: [PATCH 2/2] doc: warn about following symlinks recursively in
+ chown/chgrp
+
+In both chown and chgrp (which shares its code with chown), operating
+on symlinks recursively has a window of vulnerability where the
+destination user or group can change the target of the operation.
+Warn about combining the --dereference, --recursive, and -L flags.
+
+* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
+(node chown invocation): Add it to --dereference and -L.
+(node chgrp invocation): Likewise.
+
+See also: CVE-2017-18018
+
+Upstream-commit: bc2fd9796403e03bb757b064d44c22fab92e6842
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ doc/coreutils.texi | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index de06c0f..24cc85b 100644
+--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
+@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
+ In a recursive traversal, traverse every symbolic link to a directory
+ that is encountered.
+ @end macro
+
+@c Append the following warning to -L where appropriate (e.g. chown).
+@macro warnOptDerefWithRec
+
+Combining this dereferencing option with the @option{--recursive} option
+may create a security risk:
+During the traversal of the directory tree, an attacker may be able to
+introduce a symlink to an arbitrary target; when the tool reaches that,
+the operation will be performed on the target of that symlink,
+possibly allowing the attacker to escalate privileges.
+
+@end macro
+
+ @choptL
+ 
+ @macro choptP
+@@ -10990,6 +11003,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
+@warnOptDerefWithRec
+ 
+ @item -h
+ @itemx --no-dereference
+@@ -11046,6 +11060,7 @@ Recursively change ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+ 
+ @choptL
+@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+ 
+ @choptP
+@@ -11120,6 +11135,7 @@ changed.
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
+@warnOptDerefWithRec
+ 
+ @item -h
+ @itemx --no-dereference
+@@ -11175,6 +11191,7 @@ Recursively change the group ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+ 
+ @choptL
+@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+ 
+ @choptP
+-- 
+2.13.6
+
--- a/coreutils.spec
+++ b/coreutils.spec
@ -17,6 +17,9 @@ Source106:  coreutils-colorls.csh
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.29-9-g29baf25aa
 Patch1:   coreutils-8.29-mv-n-noreplace.patch

+# doc: warn about following symlinks recursively in chown/chgrp (CVE-2017-18018)
+Patch2:   coreutils-8.29-CVE-2017-18018.patch
+
 # disable the test-lock gnulib test prone to deadlock
 Patch100: coreutils-8.26-test-lock.patch

@ -278,6 +281,7 @@ fi

 %changelog
 * Tue Jan 23 2018 Kamil Dudka <kdudka@redhat.com> - 8.29-2
+- doc: warn about following symlinks recursively in chown/chgrp (CVE-2017-18018)
 - mv -n: do not overwrite the destination

 * Tue Jan 02 2018 Kamil Dudka <kdudka@redhat.com> - 8.29-1