'Re: [oss-security] icinga2: CVE-2020-14004: prepare-dirs script allows for symlink attack in the ici'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] icinga2: CVE-2020-14004: prepare-dirs script allows for symlink attack in the ici
From:       Michael Orlitzky <michael () orlitzky ! com>
Date:       2020-06-12 12:16:23
Message-ID: 34ddbebf-ee5e-a8de-918b-bc9878352e84 () orlitzky ! com
[Download RAW message or body]

On 2020-06-12 05:54, Matthias Gerstner wrote:
> Hello list,
> 
> during the review of directories with special permissions in openSUSE
> distributions I noticed an icinga user privilege escalation issue in the
> icinga2 monitoring software [1].

face -> palm

https://github.com/Icinga/icinga2/issues/5793

> But it could still turn out to be subject to
> race conditions on older or alternative `chown` implementations. It
> would also be problematic if the Linux kernel hardlink protection is
> turned off for some reason.

Hardlink protection is off by default in the vanilla kernel.
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic