michael orlitzky

CVE-2017-14484: Gentoo sci-mathematics/gimps root privilege escalation via init script

Product
Gentoo Linux sci-mathematics/gimps package
Versions affected
sci-mathematics/gimps-28.10 and earlier
Published on
2017-09-15
Author
Michael Orlitzky
Bug report
https://bugs.gentoo.org/603408
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14484
Acknowledgements
Paolo Pedroni for fixing it, and Christopher Díaz for the CVE

Summary

The Gentoo sci-mathematics/gimps package before 28.10-r1 allows local users to gain root privileges by creating a hard link under /var/lib/gimps, because an unsafe chown -R command is executed whenever the service is started.

Details

The full details, exploit, and mitigation are discussed in my article, End root chowning now (make /etc/init.d great again).