Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mock: CVE-2016-6299: privilige escalation via mock-scm

Related Vulnerabilities: CVE-2016-6299  

Source

Debian Bug report logs - #850320
mock: CVE-2016-6299: privilige escalation via mock-scm

version graph

Package: src:mock; Maintainer for src:mock is Tzafrir Cohen <tzafrir@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 5 Jan 2017 21:00:12 UTC

Severity: grave

Tags: patch, security, upstream

Found in version mock/1.2.3-1

Fixed in versions mock/1.3.2-1, 1.3.2-1

Done: Holger Levsen <holger@layer-acht.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Thu, 05 Jan 2017 21:00:14 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tzafrir Cohen <tzafrir@debian.org>. (Thu, 05 Jan 2017 21:00:14 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Thu, 05 Jan 2017 21:59:29 +0100
Source: mock
Version: 1.3.2-1
Severity: grave
Tags: patch security upstream
Justification: user security hole

Hi,

the following vulnerability was published for mock. I'm not too
familiar with it, but following the code and the applied upstream
commit 1.3.2-1 should be vulnerable.

CVE-2016-6299[0]:
privilige escalation via mock-scm

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6299
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6299
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1375490
[2] https://github.com/rpm-software-management/mock/commit/8b02f43beadacf6911200b48d94e39e891a41da9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Thu, 05 Jan 2017 23:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Tzafrir Cohen <tzafrir@cohens.org.il>:
Extra info received and forwarded to list. Copy sent to Tzafrir Cohen <tzafrir@debian.org>. (Thu, 05 Jan 2017 23:27:02 GMT) (full text, mbox, link).

Message #10 received at 850320@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>
To: Salvatore Bonaccorso <carnil@debian.org>, 850320@bugs.debian.org
Subject: Re: Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Fri, 6 Jan 2017 00:25:07 +0100
My initial reading into this: neither the version in Stable (1.1.33-1)
nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not
closing yet as I want to test this better.

The version in Jessie-backports seems to be the only one affected by it.

Impact: mock is a chroot building serer. You feed it with RPM source
packages and they get built in chroots (that it creates). Package
specifications may generally include various forms of executable code.
The builder runs the builds as a non-root user. The issue was that the
rpm spec file was evaluated accidentally as root.

This issue was fixed upstream just before 1.2.22, and that fix is
included in the current version (1.3.2). In 1.1.33 the parsing seems to
be done before after temporarily dropping super-user privileges at
startup.

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Information forwarded to debian-bugs-dist@lists.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Fri, 06 Jan 2017 05:36:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Tzafrir Cohen <tzafrir@debian.org>. (Fri, 06 Jan 2017 05:36:02 GMT) (full text, mbox, link).

Message #15 received at 850320@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Tzafrir Cohen <tzafrir@cohens.org.il>
Cc: 850320@bugs.debian.org
Subject: Re: Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Fri, 6 Jan 2017 06:34:15 +0100
# not found actually in 1.3.2 ...
Control: notfound -1 850320 1.3.2-1
# but found in version as in jessie packports according to analysis
Control: found -1 1.2.3-1
# and mark as fixed in 1.3.2-1 the first version after 1.2.21 in the
# archive
Control: fixed -1 850320 1.3.2-1

Hi Tzafrir,

On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote:
> My initial reading into this: neither the version in Stable (1.1.33-1)
> nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not
> closing yet as I want to test this better.
> 
> The version in Jessie-backports seems to be the only one affected by it.
> 
> Impact: mock is a chroot building serer. You feed it with RPM source
> packages and they get built in chroots (that it creates). Package
> specifications may generally include various forms of executable code.
> The builder runs the builds as a non-root user. The issue was that the
> rpm spec file was evaluated accidentally as root.
> 
> This issue was fixed upstream just before 1.2.22, and that fix is
> included in the current version (1.3.2). In 1.1.33 the parsing seems to
> be done before after temporarily dropping super-user privileges at
> startup.

Thanks for your investigation and the explanation of the attack
vector, that's much appreciated.

I seem to have read the patch wrongly, leading me to think that
src:mock 1.3.2 is affected. If you agree on the above Control changes
and we are sure that the version in stable is not affected, then I
guess we can go ahead with the closure.

Regards and thanks for your time taken,
Salvatore

No longer marked as found in versions mock/1.3.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 06 Jan 2017 05:42:03 GMT) (full text, mbox, link).

Marked as found in versions mock/1.2.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 06 Jan 2017 05:42:03 GMT) (full text, mbox, link).

Marked as fixed in versions mock/1.3.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 06 Jan 2017 05:42:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Fri, 06 Jan 2017 05:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Tzafrir Cohen <tzafrir@debian.org>. (Fri, 06 Jan 2017 05:57:06 GMT) (full text, mbox, link).

Message #26 received at 850320@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 850320@bugs.debian.org
Cc: Tzafrir Cohen <tzafrir@cohens.org.il>
Subject: Re: Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Fri, 6 Jan 2017 06:52:40 +0100
On Fri, Jan 06, 2017 at 06:34:15AM +0100, Salvatore Bonaccorso wrote:
> # not found actually in 1.3.2 ...
> Control: notfound -1 850320 1.3.2-1
> # but found in version as in jessie packports according to analysis
> Control: found -1 1.2.3-1
> # and mark as fixed in 1.3.2-1 the first version after 1.2.21 in the
> # archive
> Control: fixed -1 850320 1.3.2-1

Bah so much wrong syntax in few lines. I fixed now.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Fri, 06 Jan 2017 13:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Tzafrir Cohen <tzafrir@debian.org>. (Fri, 06 Jan 2017 13:39:03 GMT) (full text, mbox, link).

Message #31 received at 850320@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: Tzafrir Cohen <tzafrir@cohens.org.il>, 850320@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Fri, 6 Jan 2017 13:37:58 +0000
[Message part 1 (text/plain, inline)]
Hi Tzafrir,

On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote:
> The version in Jessie-backports seems to be the only one affected by it.

will you upload a fixed version to jessie-bpo or should I? (I'd be happy
if you did, but I was the person introducing mock to bpo, so I'd take
responsibility and fix, if needed.)


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Sat, 07 Jan 2017 21:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to Tzafrir Cohen <tzafrir@cohens.org.il>:
Extra info received and forwarded to list. Copy sent to Tzafrir Cohen <tzafrir@debian.org>. (Sat, 07 Jan 2017 21:33:02 GMT) (full text, mbox, link).

Message #36 received at 850320@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>
To: Holger Levsen <holger@layer-acht.org>
Cc: 850320@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Sat, 7 Jan 2017 22:28:01 +0100
On Fri, Jan 06, 2017 at 01:37:58PM +0000, Holger Levsen wrote:
> Hi Tzafrir,
> 
> On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote:
> > The version in Jessie-backports seems to be the only one affected by it.
> 
> will you upload a fixed version to jessie-bpo or should I? (I'd be happy
> if you did, but I was the person introducing mock to bpo, so I'd take
> responsibility and fix, if needed.)

I prepared a version in the branch jessie-backports in git[1].

It seems to work OK here. I don't hae my key in the backports keyring,
so I prefer that you upload it.


-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Information forwarded to debian-bugs-dist@lists.debian.org, Tzafrir Cohen <tzafrir@debian.org>:
Bug#850320; Package src:mock. (Sun, 08 Jan 2017 13:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Tzafrir Cohen <tzafrir@debian.org>. (Sun, 08 Jan 2017 13:06:04 GMT) (full text, mbox, link).

Message #41 received at 850320@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: Tzafrir Cohen <tzafrir@cohens.org.il>
Cc: 850320@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
Date: Sun, 8 Jan 2017 13:03:07 +0000
[Message part 1 (text/plain, inline)]
Hi Tzafrir,

On Sat, Jan 07, 2017 at 10:28:01PM +0100, Tzafrir Cohen wrote:
> I prepared a version in the branch jessie-backports in git[1].
> 
> It seems to work OK here. I don't hae my key in the backports keyring,
> so I prefer that you upload it.

done, thanks! Also created a git tag and pushed it.

Feel free to ping me for future uploads of mock to jessie-backports. I'm
also subscribed to the package in the PTS…


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Reply sent to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility. (Sun, 10 Feb 2019 17:27:31 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 10 Feb 2019 17:27:31 GMT) (full text, mbox, link).

Message #46 received at 850320-done@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: 850320-done@bugs.debian.org
Subject: done
Date: Sun, 10 Feb 2019 17:25:15 +0000
[Message part 1 (text/plain, inline)]
version: 1.3.2-1

long fixed, just never marked as done.


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Mar 2019 07:29:01 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:23:09 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started