[go: up one dir, main page]
Bug 1062722 (CVE-2017-14798) - VUL-0: CVE-2017-14798: postgresql-init: LPE via postgres init script
Summary: VUL-0: CVE-2017-14798: postgresql-init: LPE via postgres init script
Status: RESOLVED FIXED
Alias: CVE-2017-14798
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2017-14798:6.8:(AV:L/...
Keywords:
Depends on: CVE-2017-12172
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-11 09:20 UTC by Johannes Segitz
Modified: 2020-08-13 09:55 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-10-11 09:20:18 UTC 
Created attachment 743849 [details]
POC

Problematic use of install allows LPE from postgres user to root.

Make public when 1062538 goes public
Comment 2 Reinhard Max 2017-10-11 11:17:03 UTC 
Actually, things are even easier, because creation of the data dir before calling initdb is not needed (anymore). I just checked that initdb creates the dir if it doesn't yet exist and also locks down the permissions to 700 if it exists with more relaxed permissions.

So, the new proposed patch would be:
--- postgresql-init     (revision 45eea42cac80ba1bfc18b4c7a5f53e90)
+++ postgresql-init     (working copy)
@@ -98,7 +98,6 @@
            INITDB=/usr/bin/initdb
             V=$(printf "%02d%02d" $(echo $VERSION|awk -F. '{print $1, $2}'))
             AUTH="ident"; test $V -lt 0900 && AUTH="ident sameuser"
-           install -d -o postgres -g postgres -m 700 ${DATADIR} &&
             su - postgres -c \
                 "$INITDB --locale=$LANG --auth=\"$AUTH\" $DATADIR &> initlog" ||
            rc_failed
Comment 4 Swamp Workflow Management 2017-11-27 21:20:41 UTC 
SUSE-SU-2017:3107-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1062722
CVE References: CVE-2017-14798
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql-init-9.4-0.5.3.1
Comment 5 Marcus Meissner 2018-01-15 10:41:48 UTC 
released