[Touch-packages] [Bug 1787548] Re: PAM fscrypt adds root(0) group to all users called by su

2018-08-23 Thread Launchpad Bug Tracker 
This bug was fixed in the package fscrypt - 0.2.2-0ubuntu2.1

---
fscrypt (0.2.2-0ubuntu2.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation via improperly restored
supplementary groups in libpam-fscrypt (LP: #1787548)
- CVE-2018-6558.patch: Save the euid, egid, and supplementary groups when
  entering the PAM module, drop privileges to perform actions on behalf of
  the user, and then properly restore the saved values before exiting the
  PAM module. Based on patch from upstream.
- CVE-2018-6558
  * 0001-security-drop-and-regain-privileges-in-all-threads.patch: Drop and
regain privileges in all threads of the current process
  * 0001-Ensure-keyring-privilege-changes-are-reversible.patch: Ensure keyring
privilege changes are reversible to prevent failures when, for example,
"su " is executed as an unprivileged user

 -- Tyler Hicks   Wed, 22 Aug 2018 18:57:26 +

** Changed in: fscrypt (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1787548

Title:
  PAM fscrypt adds root(0) group to all users called by su

Status in Shadow:
  Invalid
Status in fscrypt package in Ubuntu:
  Fix Released
Status in shadow package in Ubuntu:
  Invalid

Bug description:
  related packages: /bin/su (from login , shadow)

  OS: ubuntu 18.04.1, updated

  Bug: a normal user (not in 'root' group), when the PAM module fscrypt
  is active, all calls of su give the user additional group root(0).

  Results: this is a permission escalation, such user can now delete
  files owned by root group (where permisions are g+w)

  Steps to reproduce: 
  0/ login uses pam unix authentication module (default on ubuntu, no action 
needed)
  0.1/ create a new user: 
  # useradd developer

  1/ verify:
  #id developer 
  // on my system, shows
  // uid=1004(developer) gid=1004(developer) groups=1004(developer) 
  \su - developer -c id
  sudo -u developer id

  2/ enable pam-fscrypt
  # apt install libpam-fscrypt
  # pam-auth-update --enable fscrypt

  3/ verify again (bug shows)
  // repeate step 1/ 
  // the su command will show the bug (sudo won't, interestingly)
  \su - developer -c id
  // uid=1004(developer) gid=1004(developer) groups=1004(developer),0(root)

  4/ workaround and return to original state:
  pam-auth-update --disable fscrypt
  apt remove  libpam-fscrypt

  Thank you,

To manage notifications about this bug go to:
https://bugs.launchpad.net/shadow/+bug/1787548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1787548] Re: PAM fscrypt adds root(0) group to all users called by su

2018-08-23 Thread Tyler Hicks 
I've uploaded an fscrypt security update to the Ubuntu Security PPA.
Ubuntu Security will release it once they've reviewed and approved the
changes.

** Information type changed from Private Security to Public Security

** Changed in: shadow (Ubuntu)
   Status: New => Invalid

** Changed in: shadow
   Status: New => Invalid

** Changed in: fscrypt (Ubuntu)
   Status: New => Confirmed

** Changed in: fscrypt (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1787548

Title:
  PAM fscrypt adds root(0) group to all users called by su

Status in Shadow:
  Invalid
Status in fscrypt package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Invalid

Bug description:
  related packages: /bin/su (from login , shadow)

  OS: ubuntu 18.04.1, updated

  Bug: a normal user (not in 'root' group), when the PAM module fscrypt
  is active, all calls of su give the user additional group root(0).

  Results: this is a permission escalation, such user can now delete
  files owned by root group (where permisions are g+w)

  Steps to reproduce: 
  0/ login uses pam unix authentication module (default on ubuntu, no action 
needed)
  0.1/ create a new user: 
  # useradd developer

  1/ verify:
  #id developer 
  // on my system, shows
  // uid=1004(developer) gid=1004(developer) groups=1004(developer) 
  \su - developer -c id
  sudo -u developer id

  2/ enable pam-fscrypt
  # apt install libpam-fscrypt
  # pam-auth-update --enable fscrypt

  3/ verify again (bug shows)
  // repeate step 1/ 
  // the su command will show the bug (sudo won't, interestingly)
  \su - developer -c id
  // uid=1004(developer) gid=1004(developer) groups=1004(developer),0(root)

  4/ workaround and return to original state:
  pam-auth-update --disable fscrypt
  apt remove  libpam-fscrypt

  Thank you,

To manage notifications about this bug go to:
https://bugs.launchpad.net/shadow/+bug/1787548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp