Missing input sanitation in upstart logrotation cronjob
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
upstart (Ubuntu) |
Fix Released
|
High
|
James Hunt |
Bug Description
Ubuntu Vivid 1504 (development branch) installs an insecure upstart logrotation script which will read user-supplied data from /run/user/
Problematic part of /etc/cron.
for session in /run/user/
do
env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
done
On a system with e.g. libpam-systemd installed, standard login on TTY or via SSH will create the directory /run/user/[uid] writable to the user. By preparing a suitable session file, user supplied code will be run during the daily cron-jobs.
See [1] for more information.
# lsb_release -rd
Description: Ubuntu Vivid Vervet (development branch)
Release: 15.04
# apt-cache policy upstart-bin
upstart-bin:
Installed: 1.13.2-0ubuntu7
Candidate: 1.13.2-0ubuntu7
Version table:
*** 1.13.2-0ubuntu7 0
500 http://
100 /var/lib/
[1] http://
Related branches
- Colin Watson: Approve
- Dimitri John Ledkov: Pending requested
-
Diff: 37 lines (+18/-2)2 files modifieddebian/changelog (+8/-0)
debian/upstart-bin.upstart.cron.daily (+10/-2)
information type: | Private Security → Public Security |
Changed in upstart (Ubuntu): | |
assignee: | nobody → James Hunt (jamesodhunt) |
importance: | Undecided → High |
Changed in upstart (Ubuntu): | |
status: | New → Fix Committed |
Note - this problem only affects vivid fwics. Further, it does not affect Touch (since that uses Upstart as PID 1).