Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Hi Tzafrir, On Sat, Jan 07, 2017 at 10:28:01PM +0100, Tzafrir Cohen wrote: > I prepared a version in the branch jessie-backports in git[1]. > > It seems to work OK here. I don't hae my key in the backports keyring, > so I prefer that you upload it. done, thanks! Also created a git tag and pushed it. Feel free to ping me for future uploads of mock to jessie-backports. I'm also subscribed to the package in the PTS… -- cheers, Holger signature.asc Description: Digital signature
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
On Fri, Jan 06, 2017 at 01:37:58PM +, Holger Levsen wrote: > Hi Tzafrir, > > On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote: > > The version in Jessie-backports seems to be the only one affected by it. > > will you upload a fixed version to jessie-bpo or should I? (I'd be happy > if you did, but I was the person introducing mock to bpo, so I'd take > responsibility and fix, if needed.) I prepared a version in the branch jessie-backports in git[1]. It seems to work OK here. I don't hae my key in the backports keyring, so I prefer that you upload it. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Hi Tzafrir, On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote: > The version in Jessie-backports seems to be the only one affected by it. will you upload a fixed version to jessie-bpo or should I? (I'd be happy if you did, but I was the person introducing mock to bpo, so I'd take responsibility and fix, if needed.) -- cheers, Holger signature.asc Description: Digital signature
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
On Fri, Jan 06, 2017 at 06:34:15AM +0100, Salvatore Bonaccorso wrote: > # not found actually in 1.3.2 ... > Control: notfound -1 850320 1.3.2-1 > # but found in version as in jessie packports according to analysis > Control: found -1 1.2.3-1 > # and mark as fixed in 1.3.2-1 the first version after 1.2.21 in the > # archive > Control: fixed -1 850320 1.3.2-1 Bah so much wrong syntax in few lines. I fixed now. Regards, Salvatore
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
# not found actually in 1.3.2 ... Control: notfound -1 850320 1.3.2-1 # but found in version as in jessie packports according to analysis Control: found -1 1.2.3-1 # and mark as fixed in 1.3.2-1 the first version after 1.2.21 in the # archive Control: fixed -1 850320 1.3.2-1 Hi Tzafrir, On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote: > My initial reading into this: neither the version in Stable (1.1.33-1) > nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not > closing yet as I want to test this better. > > The version in Jessie-backports seems to be the only one affected by it. > > Impact: mock is a chroot building serer. You feed it with RPM source > packages and they get built in chroots (that it creates). Package > specifications may generally include various forms of executable code. > The builder runs the builds as a non-root user. The issue was that the > rpm spec file was evaluated accidentally as root. > > This issue was fixed upstream just before 1.2.22, and that fix is > included in the current version (1.3.2). In 1.1.33 the parsing seems to > be done before after temporarily dropping super-user privileges at > startup. Thanks for your investigation and the explanation of the attack vector, that's much appreciated. I seem to have read the patch wrongly, leading me to think that src:mock 1.3.2 is affected. If you agree on the above Control changes and we are sure that the version in stable is not affected, then I guess we can go ahead with the closure. Regards and thanks for your time taken, Salvatore
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
My initial reading into this: neither the version in Stable (1.1.33-1) nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not closing yet as I want to test this better. The version in Jessie-backports seems to be the only one affected by it. Impact: mock is a chroot building serer. You feed it with RPM source packages and they get built in chroots (that it creates). Package specifications may generally include various forms of executable code. The builder runs the builds as a non-root user. The issue was that the rpm spec file was evaluated accidentally as root. This issue was fixed upstream just before 1.2.22, and that fix is included in the current version (1.3.2). In 1.1.33 the parsing seems to be done before after temporarily dropping super-user privileges at startup. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Source: mock Version: 1.3.2-1 Severity: grave Tags: patch security upstream Justification: user security hole Hi, the following vulnerability was published for mock. I'm not too familiar with it, but following the code and the applied upstream commit 1.3.2-1 should be vulnerable. CVE-2016-6299[0]: privilige escalation via mock-scm If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-6299 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6299 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1375490 [2] https://github.com/rpm-software-management/mock/commit/8b02f43beadacf6911200b48d94e39e891a41da9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
