Bug 1157703 - (CVE-2019-18899) VUL-0: CVE-2019-18899: apt-cacher-ng: apt-cacher-ng runs as root, insecure use of /run/apt-cacher-ng
(CVE-2019-18899)
VUL-0: CVE-2019-18899: apt-cacher-ng: apt-cacher-ng runs as root, insecure us...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: Leap 15.1
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-25 14:51 UTC by Matthias Gerstner
Modified: 2020-05-13 08:15 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-11-25 14:51:59 UTC
A serious finding from bug 1150532. In our package apt-cacher-ng runs as root.
The /run/apt-cacher-ng directory is owned by an unprivileged user, however:

$ ls -lhd /run/apt-cacher-ng
drwxr-xr-x 2 apt-cacher-ng apt-cacher-ng 80 25. Nov 15:30 /run/apt-cacher-ng/

The apt-cacher-ng daemon creates at least two files in there, a pid file and a
socket file. The apt-cacher-ng unprivileged user can therefore perform symlink
attacks and cause damage to the system or otherwise unspecified impact. Both
files are created in a racy way by the apt-cacher-ng daemon.

The problem stems from the apt-cacher-ng.service file which is not coming from
upstream but from our own packaging in OBS. On Debian they use the right
approach by adding the following two directives to the file:

```
User=apt-cacher-ng
Group=apt-cacher-ng
```

This finding is worth a CVE, we will need to assign one from our own SUSE CVE
pool for this since it is SUSE specific.
Comment 1 Matthias Gerstner 2019-12-05 10:51:24 UTC
So this SUSE specific bug needs to be carefully adressed. Reducing permissions
in an update is a difficile thing to do. We need to make sure that no
regressions occur.

No official maintainer is left for apt-cacher-ng. We're considering to remove
it from Factory, but it's still in maintained state for SLE-15 and SLE-15-SP1
backports. The question also is whether there's a customer requirement for
this being in SLE, then removing it from Factory could become difficult.
Comment 2 Johannes Segitz 2019-12-05 11:26:15 UTC
Please use CVE-2019-18899 to track this
Comment 6 Matthias Gerstner 2020-01-15 13:12:34 UTC
Since bug 1157706 which also affects upstream is already public we can now
simply act for this bug, too. Similarly to what I wrote in the other bug, no
maintainer is to be found for this package in openSUSE. Therefore the
following will happen:

- a delete request will be filed for Factory
- a maintenance update with emergency fixes will be submitted to maintained
  Leap codestreams.
Comment 7 Swamp Workflow Management 2020-01-20 14:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1157703) was mentioned in
https://build.opensuse.org/request/show/765843 15.1 / apt-cacher-ng
Comment 9 Matthias Gerstner 2020-01-21 09:33:22 UTC
I've published this on oss-sec [1].

[1]: https://seclists.org/oss-sec/2020/q1/22
Comment 10 Swamp Workflow Management 2020-01-29 11:14:59 UTC
openSUSE-SU-2020:0124-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1157703,1157706
CVE References: CVE-2019-18899,CVE-2020-5202
Sources used:
openSUSE Leap 15.1 (src):    apt-cacher-ng-3.1-lp151.3.3.1
Comment 11 Swamp Workflow Management 2020-01-29 20:41:21 UTC
openSUSE-SU-2020:0146-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1157703,1157706
CVE References: CVE-2019-18899,CVE-2020-5202
Sources used:
openSUSE Backports SLE-15-SP1 (src):    apt-cacher-ng-3.1-bp151.4.3.1
Comment 12 Matthias Gerstner 2020-05-13 08:13:20 UTC
reassigning to security-team, this should be done by now
Comment 13 Alexandros Toptsoglou 2020-05-13 08:15:20 UTC
Done