Bug 1170178 - AUDIT-FIND: enlightenment: enlightenment_system: ecore_file_app_installed(): can be tricked into returning bogus results
AUDIT-FIND: enlightenment: enlightenment_system: ecore_file_app_installed(): ...
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Simon Lees
E-mail List
Depends on:
Blocks: 1169238
  Show dependency treegraph
Reported: 2020-04-22 10:02 UTC by Matthias Gerstner
Modified: 2020-05-22 10:25 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2020-04-22 10:02:03 UTC
+++ This bug was initially created as a clone of Bug #1169238

i) `ecore_file_app_installed()` can be tricked into returning bogus results

Various calls to `ecore_file_app_installed()` are performed in the context of
the setuid-root binary. This function performs a direct check for the
existence of the given filename before checking the directories found in the
PATH environment variable.

Since the CWD is controlled by a potential attacker (see g)), the attacker can
place arbitrary files named like the searched binaries in the CWD. As a
result the `ecore_file_app_installed()` will returns bogus results. I couldn't
find any way to exploit this fact in the context of the setuid-root binary,

I suggest *not* to check the CWD in `ecore_file_app_installed()` installed. If
the CWD should be checked then the PATH environment variable should contain
"." instead.
Comment 1 Simon Lees 2020-04-22 11:10:32 UTC
Upstream: https://phab.enlightenment.org/T8678
Comment 3 Matthias Gerstner 2020-04-30 13:47:47 UTC
Well the upstream fix is not exactly what I had in mind. But as the upstream
comment says the actual attack vector is already fixed by setting the CWD in
the setuid-root binary.
Comment 4 Matthias Gerstner 2020-05-22 10:25:12 UTC
Closing as fixed.