oss-sec mailing list archives
deepin-clone: various symlink attacks
From: Matthias Gerstner <mgerstner () suse de>
Date: Thu, 4 Jul 2019 14:59:14 +0200
Hello, deepin-clone [1] is a command line and graphical disk backup utility that is part of the deepin desktop environment (a desktop environment focused on Chinese users). In the course of a review [2] of polkit privileges used by the application the following major security issues have been found: CVE-2019-13227) in GUI mode deepin-clone creates `/tmp/.deepin-clone.log` as root and follows symlinks there. CVE-2019-13226) `Helper::temporaryMountDevice()` uses a predictable path `/tmp/.deepin-clone/mount/<block-dev-basename>` to temporarily mount a file system there. These paths can be prepared by an attacker and symlinks will be followed during mounting. If the attacker wins a race condition by quickly entering the mount point then it can also prevent the following unmount. This logic can e.g. be triggered by running `deepin-clone -i /dev/sdX`. An attacker can thus cause the file system to be permanently mounted at an arbitrary location in the file system. CVE-2019-13229) `Helper::getPartitionSizeInfo()` uses /tmp/partclone.log as a fixed path during execution of partclone. The same issues about symlink attacks etc. like in 1) apply here. CVE-2019-13228) similarly in `BootDoctor::fix()` the fixed path `/tmp/repo.iso` is created and the fixed directory /tmp/.deepin-clone is used. The same concerns as in 1) and 3) apply. By winning a race condition to replace the `/tmp/repo.iso` symlink by an attacker controlled iso file further privilege escalation may be possible. The issues have been fixed via the upstream commit [3]. Best Regards Matthias [1]: https://github.com/linuxdeepin/deepin-clone [2]: https://bugzilla.suse.com/show_bug.cgi?id=1130388 [3]: https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nuernberg)
Attachment:
signature.asc
Description:
Current thread:
- deepin-clone: various symlink attacks Matthias Gerstner (Jul 04)