[Cucumber-linux-security] coreutils (vulnerability information disclosure) [CVE-2017-18018]

[Scott C. <z5...@z5...>]

This following is an information disclosure about CVE-2017-18018, a
recently disclosed vulnerability in the coreutils package:

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018:

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent
replacement of a plain file with a symlink during use of the POSIX "-R -L"
options, which allows local users to modify the ownership of arbitrary files by
leveraging a race condition. 

================================= Our Analysis =================================

----- Affected Products -----
All versions of the GNU coreutils up to and including 8.29 are vulnerable to
this vulnerability. At the time of writing (Thu Jan  4 13:09:35 EST 2018) 8.29
is the latest available version of coreutils; future versions may or may not be
affected. This includes coreutils as originally packaged in Cucumber Linux 1.0
and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows for a user cause an arbitrary file to be chowned when
a directory that the user has write access to is chowned recursively.

----- Fix for this Vulnerability -----
As of Thu Jan  4 13:02:32 EST 2018 there is no known fix for this
vulnerability. There are two patches available at
http://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html and
http://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html that add a
warning about this issue to the man and info pages; however, there is nothing
that actually fixes this vulnerability.

*In the meantime, the impact of this vulnerability can be mitigated in
ways: 1. Enable the protected_symlinks feature in the kernel. This can
be done by running `sysctl --write fs.protected_symlinks=1` as root. You
may want to add this to your /etc/rc.d/rc.local script to ensure it is
run whenever the system boots up. 2. Do not combine the -R and -L flags
when running chown/chgrp (-R = recursive and -L = traverse all
symlinks). 3. Use the --from flag when running chown/chgrp to ensure
that you are chowning/chgrping files owned only by the intended user/group.*

================================= Our Solution =================================

We have made an information disclosure about this vulnerability and will wait to
see if an upstream patch is published.

The full analysis and report for this vulnerability can be viewed at
http://security.cucumberlinux.com/security/details.php?id=197.