GNU bug report logs - #47584
Race condition in ‘copy-account-skeletons’: possible privilege escalation.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Severity: important; Reported by: Maxime Devos <maximedevos@HIDDEN>; Keywords: security patch; dated Sat, 3 Apr 2021 16:10:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Severity set to 'important' from 'normal' Request was from Maxime Devos <maximedevos@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Added tag(s) security and patch. Request was from Maxime Devos <maximedevos@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 47584 <at> debbugs.gnu.org:


Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:33:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:33:00 2021
Received: from localhost ([127.0.0.1]:34368 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSjCm-0002pD-Gs
	for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:33:00 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:41568)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1lSjCj-0002p2-5p
 for 47584 <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:32:58 -0400
Received: from butterfly.local ([213.132.158.53])
 by baptiste.telenet-ops.be with bizsmtp
 id oGYu2400D19Qjf101GYvVU; Sat, 03 Apr 2021 18:32:55 +0200
Message-ID: <67e04c1c532d4553c5456ebf581d7d3d3d59733c.camel@HIDDEN>
Subject: Re: bug#47584: Race condition in
 =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege
 escalation.
From: Maxime Devos <maximedevos@HIDDEN>
To: 47584 <at> debbugs.gnu.org
Date: Sat, 03 Apr 2021 18:32:54 +0200
In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@HIDDEN>
References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN>
 <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1617467575; bh=Sw/UfKzDCrSltxYl/oPfddr3GjoJV0OoFTZcWIAll7c=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=ZlErvDbK0rZxPgnpY8PyDoNp/xTxYUruL/L1za+Oml+85nc0FCCqup9cZ+f/BUwP3
 OnId5chxG7KkrK10H+KnkBJ68YH5mvfEKTl6iBPhD+KA805+hVdeB3YUwMFwOyUhfs
 iEocylNsYI+2vq/f6NbtVSNlJ7zmM9cKH9gx0B7WNz7oMeyPP+f4LRsIG+djdec3sL
 ljrFYYafj75U97JTjVRFgvpLvLV7b1ukt2IXn4JY54cDbAP5K8gLO9IKbAoGNjXx0n
 /XL62UdwRLfUzyc/goegwFh+SGjwOOgdxQJ02sCuRkmdJJzU6yVMosRiRkXW/IVfF6
 L5Vr3Em+njZXg==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47584
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, 2021-04-03 at 18:22 +0200, Maxime Devos wrote:
> +            ;; It is important 'chown' is called after 'copy-account-skeletons'
> +            ;; Otherwise, a malicious user with good timing could
> +            ;; create a symlink in HOME that would be dereferenced by
> +            ;; 'copy-account-skeletons'.

Oops please add a period after 'copy-account-skeletons';





Information forwarded to bug-guix@HIDDEN:
bug#47584; Package guix. Full text available.

Message received at 47584 <at> debbugs.gnu.org:


Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:27:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:27:05 2021
Received: from localhost ([127.0.0.1]:34362 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSj6y-0002fF-88
	for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:27:05 -0400
Received: from andre.telenet-ops.be ([195.130.132.53]:47534)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1lSj6v-0002f5-Ea
 for 47584 <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:26:59 -0400
Received: from butterfly.local ([213.132.158.53])
 by andre.telenet-ops.be with bizsmtp
 id oGSu2400L19Qjf101GSvHJ; Sat, 03 Apr 2021 18:26:56 +0200
Message-ID: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@HIDDEN>
Subject: Re: bug#47584: Race condition in
 =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege
 escalation.
From: Maxime Devos <maximedevos@HIDDEN>
To: 47584 <at> debbugs.gnu.org
Date: Sat, 03 Apr 2021 18:26:53 +0200
In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN>
References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-HMNpXMB6vK27ddQ1Dtzt"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1617467216; bh=+QwQ6+6U53Xh+yszKUWicth9Ir/2UkoekOQ82WoObQQ=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=eGnpz8luI96wTxYfIOYlFrUPHH/imoByxqTi0oS2Wji7JbguVAAJKw/wi/1w6utCq
 Kmj5CpbM0vCqK2b00C75BKQQwLkH6U7xhIfZMXn6+l5hxT/laE6aKNHZwbfzn9i31y
 OQ55thJZrcgMoo++DuiCOLqIaq6hv4Bgm3jyWG34iDOGtbC/AgewJ1UGHKcTxkPi93
 lDR0DwejiLqFPWkTNAofDt2mDHGMSYlRUi6zlrMymZIq5cNEaG0yDOo42weDFdJbDb
 wBevdMK26ejlhXlJZbwesioo+vGUBrf5MbbPawJD3aZ+4WHI21vu77+GSZGYwwvJY9
 iq0DhLb6UQbYw==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47584
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-HMNpXMB6vK27ddQ1Dtzt
Content-Type: multipart/mixed; boundary="=-cTv1bCQGArOkSc+1oSbJ"


--=-cTv1bCQGArOkSc+1oSbJ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

A suggested blog post is attached.

--=-cTv1bCQGArOkSc+1oSbJ
Content-Disposition: attachment;
	filename*0=0001-website-Add-post-about-vulnerability-in-copy-account.pat;
	filename*1=ch
Content-Transfer-Encoding: base64
Content-Type: text/x-patch;
	name="0001-website-Add-post-about-vulnerability-in-copy-account.patch";
	charset="UTF-8"

RnJvbSA3OTM3YjlmMTgwODU1NjllNWQ3Y2I4YTNjNGRjMDhlMTA4OGE5NGE5IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+
CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxODowMjowNSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdID0/
VVRGLTg/cT93ZWJzaXRlOj0yMEFkZD0yMHBvc3Q9MjBhYm91dD0yMHZ1bG5lcmFiaWxpdHk/PQog
PT9VVEYtOD9xPz0yMGluPTIwPUUyPTgwPTk4Y29weS1hY2NvdW50LXNrZWxldG9ucz1FMj04MD05
OS4/PQpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9
VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKKiB3ZWJzaXRlL3Bvc3RzL2hv
bWUtc3ltbGluay5tZDogTmV3IHBvc3QuCi0tLQogd2Vic2l0ZS9wb3N0cy9ob21lLXN5bWxpbmsu
bWQgfCAxMDMgKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5n
ZWQsIDEwMyBpbnNlcnRpb25zKCspCiBjcmVhdGUgbW9kZSAxMDA2NDQgd2Vic2l0ZS9wb3N0cy9o
b21lLXN5bWxpbmsubWQKCmRpZmYgLS1naXQgYS93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGluay5t
ZCBiL3dlYnNpdGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kCm5ldyBmaWxlIG1vZGUgMTAwNjQ0Cmlu
ZGV4IDAwMDAwMDAuLjkyODk4NzAKLS0tIC9kZXYvbnVsbAorKysgYi93ZWJzaXRlL3Bvc3RzL2hv
bWUtc3ltbGluay5tZApAQCAtMCwwICsxLDEwMyBAQAordGl0bGU6IFJpc2sgb2YgbG9jYWwgcHJp
dmlsZWdlIGVzY2FsYXRpb24gaW4gYWNjb3VudCBjcmVhdGlvbgorZGF0ZTogMjAyMS0wNC0wMyAx
NzozMAorYXV0aG9yOiBNYXhpbWUgRGV2b3MKK3RhZ3M6IFNlY3VyaXR5IEFkdmlzb3J5CistLS0K
KworQSBzZWN1cml0eSB2dWxuZXJhYmlsaXR5IHRoYXQgY2FuIGxlYWQgdG8gbG9jYWwgcHJpdmls
ZWdlIGVzY2FsYXRpb24KK2hhcyBiZWVuIGZvdW5kIGluIHRoZSBhY3RpdmF0aW9uIGNvZGUgb2Yg
dXNlciBhY2NvdW50cyAoZXhjbHVkaW5nCitzeXN0ZW0gYWNjb3VudHMpLiAgSXQgZG9lcyBub3Qg
YWZmZWN0IHVzZXJzIG9uIGZvcmVpZ24gZGlzdHJvcworYW5kIGlzIG9ubHkgZXhwbG9pdGFibGUg
ZHVyaW5nIHN5c3RlbSByZWNvbmZpZ3VyYXRpb24uCisKK1RoaXMgZXhwbG9pdCBpcyBfbm90XyBp
bXBvc3NpYmxlIG9uIG1hY2hpbmVzIHdoZXJlIHRoZSBMaW51eCBbcHJvdGVjdGVkCitzeW1saW5r
c10oaHR0cHM6Ly9zeXNjdGwtZXhwbG9yZXIubmV0L2ZzL3Byb3RlY3RlZF9zeW1saW5rcy8pIGZl
YXR1cmUKK2lzIGVuYWJsZWQuICBJdCBpcyBiZWxpZXZlZCB0aGUgYXR0YWNrIGNhbiBhbHNvIGJl
IHBlcmZvcm1lZCB1c2luZyBoYXJkCitsaW5rcy4KKworIyBWdWxuZXJhYmlsaXR5CisKK1RoZSBh
dHRhY2sgY29uc2lzdHMgb2YgdGhlIHVzZXIgYmVpbmcgbG9nZ2VkIGluIGFmdGVyIHRoZSBhY2Nv
dW50Citza2VsZXRvbnMgaGF2ZSBiZWVuIGNvcGllZCB0byB0aGUgaG9tZSBkaXJlY3RvcnksIGJ1
dCBiZWZvcmUgdGhlCitvd25lciBvZiB0aGUgYWNjb3VudCBza2VsZXRvbnMgaGF2ZSBiZWVuIHNl
dC4gIFRoZSB1c2VyIHRoZW4gZGVsZXRlcworYSBjb3BpZWQgYWNjb3VudCBza2VsZXRvbiAoZS5n
LiBgJEhPTUUvLmdkYmluaXRgKSBhbmQgcmVwbGFjZXMKK2l0IHdpdGggYSBzeW1ib2xpYyBsaW5r
IHRvIGEgZmlsZSBub3Qgb3duZWQgYnkgdGhlIHVzZXIsIHN1Y2ggYXMKK2AvZXRjL3NoYWRvd2Au
CisKK1RoZSBhY3RpdmF0aW9uIGNvZGUgdGhlbiBjaGFuZ2VzIHRoZSBvd25lcnNoaXAgb2YgdGhl
IGZpbGUgdGhlIHN5bWJvbGljCitsaW5rIHBvaW50cyB0byBpbnN0ZWFkIG9mIHRoZSBzeW1ib2xp
YyBsaW5rIGl0c2VsZi4gIEF0IHRoYXQgcG9pbnQsIHRoZQordXNlciBoYXMgcmVhZC13cml0ZSBh
Y2Nlc3MgdG8gdGhlIHRhcmdldCBmaWxlLgorCisjIEZpeAorCitUaGlzIFtidWddKGh0dHBzOi8v
aXNzdWVzLmd1aXguZ251Lm9yZy80NzU4NCkgaGFzIGJlZW4KKzwhLS0gWFhYIGluc2VydCB0aGUg
Y29tbWl0IGlkIC0tPgorW2ZpeGVkXShodHRwczovL2dpdC5zYXZhbm5haC5nbnUub3JnL2NnaXQv
Z3VpeC5naXQvY29tbWl0Lz9pZD0gWFhYKS4KK1NlZSBiZWxvdyBmb3IgdXBncmFkZSBpbnN0cnVj
dGlvbnMuCisKK1RoZSBmaXggY29uc2lzdCBvZiBpbml0aWFsbHkgY3JlYXRpbmcgdGhlIGhvbWUg
ZGlyZWN0b3J5IHJvb3Qtb3duZWQgYW5kIG9ubHkKK2NoYW5naW5nIHRoZSBvd25lciBvZiB0aGUg
aG9tZSBkaXJlY3Rvcnkgb25jZSBhbGwgc2tlbGV0b25zIGhhdmUgYmVlbiBjb3BpZWQKK2FuZCB0
aGVpciBvd25lciBoYXMgYmVlbiBzZXQuCisKKyMgVXBncmFkaW5nCisKK1RvIHVwZ3JhZGUgdGhl
IEd1aXggU3lzdGVtLCBydW4gc29tZXRoaW5nIGxpa2U6CisKK2BgYAorZ3VpeCBwdWxsCitzdWRv
IGd1aXggc3lzdGVtIHJlY29uZmlndXJlIC9ydW4vY3VycmVudC1zeXN0ZW0vY29uZmlndXJhdGlv
bi5zY20KK3N1ZG8gcmVib290CitgYGAKKworQXMgdGhlIHVzZXIgYWNjb3VudCBhY3RpdmF0aW9u
IGNvZGUgaXMgcnVuIGFzIGEgc2hlcGhlcmQgc2VydmljZSwKK3RoZSBsYXN0IHN0ZXAgaXMgcmVx
dWlyZWQgdG8gbWFrZSBzdXJlIHRoZSBmaXhlZCBhY3RpdmF0aW9uIGNvZGUKK2lzIHJ1biBpbiB0
aGUgZnV0dXJlLgorCitUbyBhdm9pZCB0aGUgdnVsbmVyYWJpbGl0eSB3aGlsZSB1cGdyYWRpbmcg
dGhlIHN5c3RlbSwgb25seSBkZWNsYXJlCituZXcgdXNlciBhY2NvdW50cyBpbiB0aGUgY29uZmln
dXJhdGlvbiBmaWxlIGFmdGVyIHRoZSBHdWl4IFN5c3RlbQoraGFzIGJlZW4gdXBncmFkZWQuCisK
KyMgQ29uY2x1c2lvbnMKKworVGhlIGFjdGl2YXRpb24gY29kZSBpbiBHdWl4IFN5c3RlbSBvcmln
aW5hbGx5IHdhcyB3cml0dGVuIHdpdGggdGhlCithc3N1bXB0aW9uIHRoYXQgbm8gb3RoZXIgY29k
ZSB3YXMgcnVubmluZyBhdCB0aGUgc2FtZSB0aW1lIGluIG1pbmQuCitIb3dldmVyLCB0aGlzIGlz
IG5vdCBhIHJlYXNvbmFibGUgYXNzdW1wdGlvbiBpbiBwcmFjdGljZSwgYXMgdGhpcwordnVsbmVy
YWJpbGl0eSBkZW1vbnN0cmF0ZXMuICBUaHVzLCBpdCBtYXkgYmUgd29ydGh3aGlsZSB0byBsb29r
CitvdmVyIG90aGVyIGFjdGl2YXRpb24gY29kZSBmb3Igc2ltaWxhciBpc3N1ZXMuCisKK1doaWxl
IGludmVzdGlnYXRpbmcgaG93IHRvIGZpeCB0aGUgaXNzdWUsIGl0IGJlY2FtZSBhcHBhcmVudCBH
TlUgR3VpbGUsCit0aGUgaW1wbGVtZW50YXRpb24gb2YgdGhlIEFsZ29yaXRobWljIExhbmd1YWdl
IFNjaGVtZSBHTlUgR3VpeCBpcword3JpdHRlbiBpbiwgaXMgbGFja2luZyBpbiBwcmltaXRpdmVz
IHRoYXQgdXN1YWxseSBhcmUgdXNlZCB0byBhdm9pZAordGhlc2Uga2luZCBvZiBpc3N1ZXMsIHN1
Y2ggYG9wZW5hdGAgYW5kIGBPX05PRk9MTE9XYC4KKworV2hpbGUgdGhlc2UgcHJpbWl0aXZlcyB0
dXJuZWQgb3V0IG5vdCB0byBiZSBuZWNlc3NhcnkgdG8gZml4IHRoZQoraXNzdWUgYW5kIGEgW3Bh
dGNoIHNlcmllc10oPGh0dHBzOi8vbGlzdHMuZ251Lm9yZy9hcmNoaXZlL2h0bWwvZ3VpbGUtZGV2
ZWwvMjAyMS0wMy9tc2cwMDAyNi5odG1sPikKK3RvIEdOVSBHdWlsZSBoYXMgYmVlbiBzdWJtaXR0
ZWQgdGhhdCBhZGRzIHRoZXNlIHByaW1pdGl2ZXMsIHRoaXMgZG9lcworc2VydmUgYXMgYSByZW1h
aW5kZXIgdGhhdCBHTlUgR3VpbGUgaXMgYSBjcml0aWNhbCBjb21wb25lbnQgb2YKK0d1aXggU3lz
dGVtIGFuZCB3b3JraW5nIGFyb3VuZCBtaXNzaW5nIHByaW1pdGl2ZXMgd2lsbCBub3QgYWx3YXlz
IGJlIHBvc3NpYmxlLgorCitUaGlzIGlzc3VlIGlzIHRyYWNrZWQgYXMKK1tidWfCoCM0NzU4NF0o
aHR0cHM6Ly9pc3N1ZXMuZ3VpeC5nbnUub3JnLzQ3NTg0KTsgeW91IGNhbiByZWFkIHRoZSB0aHJl
YWQKK2ZvciBtb3JlIGluZm9ybWF0aW9uLgorCitQbGVhc2UgcmVwb3J0IGFueSBpc3N1ZXMgeW91
IG1heSBoYXZlIHRvCitbYGd1aXgtZGV2ZWxAZ251Lm9yZ2BdKGh0dHBzOi8vZ3VpeC5nbnUub3Jn
L2VuL2NvbnRhY3QvKS4gIFNlZSB0aGUKK1tzZWN1cml0eSB3ZWIgcGFnZV0oaHR0cHM6Ly9ndWl4
LmdudS5vcmcvZW4vc2VjdXJpdHkvKSBmb3IgaW5mb3JtYXRpb24KK29uIGhvdyB0byByZXBvcnQg
c2VjdXJpdHkgaXNzdWVzLgorCisjIyMjIEFib3V0IEdOVSBHdWl4CisKK1tHTlUgR3VpeF0oaHR0
cHM6Ly9ndWl4LmdudS5vcmcpIGlzIGEgdHJhbnNhY3Rpb25hbCBwYWNrYWdlIG1hbmFnZXIgYW5k
CithbiBhZHZhbmNlZCBkaXN0cmlidXRpb24gb2YgdGhlIEdOVSBzeXN0ZW0gdGhhdCBbcmVzcGVj
dHMgdXNlcgorZnJlZWRvbV0oaHR0cHM6Ly93d3cuZ251Lm9yZy9kaXN0cm9zL2ZyZWUtc3lzdGVt
LWRpc3RyaWJ1dGlvbi1ndWlkZWxpbmVzLmh0bWwpLgorR3VpeCBjYW4gYmUgdXNlZCBvbiB0b3Ag
b2YgYW55IHN5c3RlbSBydW5uaW5nIHRoZSBIdXJkIG9yIHRoZSBMaW51eAora2VybmVsLCBvciBp
dCBjYW4gYmUgdXNlZCBhcyBhIHN0YW5kYWxvbmUgb3BlcmF0aW5nIHN5c3RlbSBkaXN0cmlidXRp
b24KK2ZvciBpNjg2LCB4ODZfNjQsIEFSTXY3LCBhbmQgQUFyY2g2NCBtYWNoaW5lcy4KKworSW4g
YWRkaXRpb24gdG8gc3RhbmRhcmQgcGFja2FnZSBtYW5hZ2VtZW50IGZlYXR1cmVzLCBHdWl4IHN1
cHBvcnRzCit0cmFuc2FjdGlvbmFsIHVwZ3JhZGVzIGFuZCByb2xsLWJhY2tzLCB1bnByaXZpbGVn
ZWQgcGFja2FnZSBtYW5hZ2VtZW50LAorcGVyLXVzZXIgcHJvZmlsZXMsIGFuZCBnYXJiYWdlIGNv
bGxlY3Rpb24uICBXaGVuIHVzZWQgYXMgYSBzdGFuZGFsb25lCitHTlUvTGludXggZGlzdHJpYnV0
aW9uLCBHdWl4IG9mZmVycyBhIGRlY2xhcmF0aXZlLCBzdGF0ZWxlc3MgYXBwcm9hY2ggdG8KK29w
ZXJhdGluZyBzeXN0ZW0gY29uZmlndXJhdGlvbiBtYW5hZ2VtZW50LiAgR3VpeCBpcyBoaWdobHkg
Y3VzdG9taXphYmxlCithbmQgaGFja2FibGUgdGhyb3VnaCBbR3VpbGVdKGh0dHBzOi8vd3d3Lmdu
dS5vcmcvc29mdHdhcmUvZ3VpbGUpCitwcm9ncmFtbWluZyBpbnRlcmZhY2VzIGFuZCBleHRlbnNp
b25zIHRvIHRoZQorW1NjaGVtZV0oaHR0cDovL3NjaGVtZXJzLm9yZykgbGFuZ3VhZ2UuCi0tIAoy
LjMxLjEKCg==


--=-cTv1bCQGArOkSc+1oSbJ--

--=-HMNpXMB6vK27ddQ1Dtzt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiXTRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7oxTAQCeeZXcTeSkip96gSft8n+eq6/B
iZoD91S8vYW1vc4PwAEAku2n5CPJ5b9ZcEXXD8sFCxIHTLEwK7vAJdDShW6F9gU=
=6RhR
-----END PGP SIGNATURE-----

--=-HMNpXMB6vK27ddQ1Dtzt--





Information forwarded to bug-guix@HIDDEN:
bug#47584; Package guix. Full text available.

Message received at 47584 <at> debbugs.gnu.org:


Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:22:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:22:23 2021
Received: from localhost ([127.0.0.1]:34357 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSj2V-0002YE-FG
	for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:22:23 -0400
Received: from xavier.telenet-ops.be ([195.130.132.52]:35302)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1lSj2S-0002Y5-SP
 for 47584 <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:22:22 -0400
Received: from butterfly.local ([213.132.158.53])
 by xavier.telenet-ops.be with bizsmtp
 id oGNH2400G19Qjf101GNJqU; Sat, 03 Apr 2021 18:22:19 +0200
Message-ID: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@HIDDEN>
Subject: Re: bug#47584: Race condition in
 =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege
 escalation.
From: Maxime Devos <maximedevos@HIDDEN>
To: 47584 <at> debbugs.gnu.org
Date: Sat, 03 Apr 2021 18:22:12 +0200
In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN>
References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-Bho1bA0qEbYvquJzBgGY"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1617466939; bh=zhx1tZKiGadd+nSuCaSDZq+6ra1QLf4mlaIo65WcCEY=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=UQdMOaVCGjmAXbHUw3Evij5B6lPPh8R4Fz1cuT6RJ/jDgcBf8BO0g3ziBflV1Aqgb
 MopDGPvxaHAn4wiLy4HeGi/oTfNPvhz6UokU+6p+l9jaNFIoQ1i4cOT/GI+lNZOVof
 hItfsBRZdbIGXaidPjySyMR9STF7iF4jIlHrqkTZW5/9zBKG6a1gKc8fXfBMVl7iAo
 IpufXEFdhAEnganBjh9yXI5yQGp3x1qh02bfa2zF9fIigu8OKVygtNz/nPv7gWhPMw
 2fKCX5nUCJoyE6qV6ZPomaY+TVRmherho1SmdcWdfntlJYSYpe5oFxEx7Li51q2Gc/
 RFfCWrinS5zWw==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47584
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-Bho1bA0qEbYvquJzBgGY
Content-Type: multipart/mixed; boundary="=-lwc/tHwdLaQ9m82S74Ju"


--=-lwc/tHwdLaQ9m82S74Ju
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Patch is attached.
The committer will need to change the commit id appropriately.

--=-lwc/tHwdLaQ9m82S74Ju
Content-Disposition: attachment;
	filename*0=0001-activation-Do-not-dereference-symlinks-in-home-direc.pat;
	filename*1=ch
Content-Type: text/x-patch;
	name="0001-activation-Do-not-dereference-symlinks-in-home-direc.patch";
	charset="UTF-8"
Content-Transfer-Encoding: base64

RnJvbSA5NjcyYmQzN2JmNTBkYjFlMDk4OWQwYjg0MDM1YzQ3ODg0MjJiZDMxIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+
CkRhdGU6IFR1ZSwgMzAgTWFyIDIwMjEgMjI6MzY6MTQgKzAyMDAKU3ViamVjdDogW1BBVENIIDEv
Ml0gYWN0aXZhdGlvbjogRG8gbm90IGRlcmVmZXJlbmNlIHN5bWxpbmtzIGluIGhvbWUgZGlyZWN0
b3J5CiBjcmVhdGlvbi4KTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWlu
OyBjaGFyc2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKCkZpeGVzIDxo
dHRwczovL2J1Z3MuZ251Lm9yZy80NzU4ND4uCgoqIGdudS9idWlsZC9hY3RpdmF0aW9uLnNjbQog
IChjb3B5LWFjY291bnQtc2tlbGV0b25zKTogRG8gbm90IGNob3duIHRoZSBob21lIGRpcmVjdG9y
eTsgbGVhdmUgdGhpcwogIHRvICdhY3RpdmF0ZS11c2VyLWhvbWUnLgogIChhY3RpdmF0ZS11c2Vy
LWhvbWUpOiBPbmx5IGNob3duIHRoZSBob21lIGRpcmVjdG9yeSBhZnRlciB0aGUgYWNjb3VudAog
IHNrZWxldG9ucyBoYXZlIGJlZW4gY29waWVkLgoKQ28tYXV0aG9yZWQtYnk6IEx1ZG92aWMgQ291
cnTDqHMgPGx1ZG9AZ251Lm9yZz4uCi0tLQogZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtIHwgMTIg
KysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgOCBpbnNlcnRpb25zKCspLCA0IGRlbGV0aW9u
cygtKQoKZGlmZiAtLWdpdCBhL2dudS9idWlsZC9hY3RpdmF0aW9uLnNjbSBiL2dudS9idWlsZC9h
Y3RpdmF0aW9uLnNjbQppbmRleCA2Y2I2Zjg4MTliLi40M2Q5NzNkM2RhIDEwMDY0NAotLS0gYS9n
bnUvYnVpbGQvYWN0aXZhdGlvbi5zY20KKysrIGIvZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtCkBA
IC0xMDcsNyArMTA3LDggQEAgV2FybmluZzogdGhpcyBpcyBjdXJyZW50bHkgc3VzcGVjdCB0byBh
IFRPQ1RUT1UgcmFjZSEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoZGlyZWN0
b3J5ICVza2VsZXRvbi1kaXJlY3RvcnkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICB1aWQgZ2lkKQogICAiQ29weSB0aGUgYWNjb3VudCBza2VsZXRvbnMgZnJvbSBESVJFQ1RPUlkg
dG8gSE9NRS4gIFdoZW4gVUlEIGlzIGFuIGludGVnZXIsCi1tYWtlIGl0IHRoZSBvd25lciBvZiBh
bGwgdGhlIGZpbGVzIGNyZWF0ZWQ7IGxpa2V3aXNlIGZvciBHSUQuIgorbWFrZSBpdCB0aGUgb3du
ZXIgb2YgYWxsIHRoZSBmaWxlcyBjcmVhdGVkIGV4Y2VwdCB0aGUgaG9tZSBkaXJlY3Rvcnk7IGxp
a2V3aXNlCitmb3IgR0lELiIKICAgKGRlZmluZSAoc2V0LW93bmVyIGZpbGUpCiAgICAgKHdoZW4g
KG9yIHVpZCBnaWQpCiAgICAgICAoY2hvd24gZmlsZSAob3IgdWlkIC0xKSAob3IgZ2lkIC0xKSkp
KQpAQCAtMTE1LDcgKzExNiw2IEBAIG1ha2UgaXQgdGhlIG93bmVyIG9mIGFsbCB0aGUgZmlsZXMg
Y3JlYXRlZDsgbGlrZXdpc2UgZm9yIEdJRC4iCiAgIChsZXQgKChmaWxlcyAoc2NhbmRpciBkaXJl
Y3RvcnkgKG5lZ2F0ZSBkb3Qtb3ItZG90LWRvdD8pCiAgICAgICAgICAgICAgICAgICAgICAgICBz
dHJpbmc8PykpKQogICAgIChta2Rpci1wIGhvbWUpCi0gICAgKHNldC1vd25lciBob21lKQogICAg
IChmb3ItZWFjaCAobGFtYmRhIChmaWxlKQogICAgICAgICAgICAgICAgIChsZXQgKCh0YXJnZXQg
KHN0cmluZy1hcHBlbmQgaG9tZSAiLyIgZmlsZSkpKQogICAgICAgICAgICAgICAgICAgKGNvcHkt
cmVjdXJzaXZlbHkgKHN0cmluZy1hcHBlbmQgZGlyZWN0b3J5ICIvIiBmaWxlKQpAQCAtMjE1LDEw
ICsyMTUsMTQgQEAgdGhleSBhbHJlYWR5IGV4aXN0LiIKICAgICAgICAgICAgICAgICAgKHVpZCAo
cGFzc3dkOnVpZCBwdykpCiAgICAgICAgICAgICAgICAgIChnaWQgKHBhc3N3ZDpnaWQgcHcpKSkK
ICAgICAgICAgICAgIChta2Rpci1wIGhvbWUpCi0gICAgICAgICAgICAoY2hvd24gaG9tZSB1aWQg
Z2lkKQogICAgICAgICAgICAgKGNobW9kIGhvbWUgI283MDApCiAgICAgICAgICAgICAoY29weS1h
Y2NvdW50LXNrZWxldG9ucyBob21lCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAjOnVpZCB1aWQgIzpnaWQgZ2lkKSkpKSkpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAjOnVpZCB1aWQgIzpnaWQgZ2lkKQorICAgICAgICAgICAgOzsgSXQgaXMgaW1wb3J0
YW50ICdjaG93bicgaXMgY2FsbGVkIGFmdGVyICdjb3B5LWFjY291bnQtc2tlbGV0b25zJworICAg
ICAgICAgICAgOzsgT3RoZXJ3aXNlLCBhIG1hbGljaW91cyB1c2VyIHdpdGggZ29vZCB0aW1pbmcg
Y291bGQKKyAgICAgICAgICAgIDs7IGNyZWF0ZSBhIHN5bWxpbmsgaW4gSE9NRSB0aGF0IHdvdWxk
IGJlIGRlcmVmZXJlbmNlZCBieQorICAgICAgICAgICAgOzsgJ2NvcHktYWNjb3VudC1za2VsZXRv
bnMnLgorICAgICAgICAgICAgKGNob3duIGhvbWUgdWlkIGdpZCkpKSkpKQogCiAgIChmb3ItZWFj
aCBlbnN1cmUtdXNlci1ob21lIHVzZXJzKSkKIAotLSAKMi4zMS4xCgo=


--=-lwc/tHwdLaQ9m82S74Ju
Content-Disposition: attachment;
	filename*0=0002-news-Add-entry-for-user-account-activation-vulnerabi.pat;
	filename*1=ch
Content-Type: text/x-patch;
	name="0002-news-Add-entry-for-user-account-activation-vulnerabi.patch";
	charset="UTF-8"
Content-Transfer-Encoding: base64

RnJvbSBkMDcxZWUzYWZmNWJlMWE2ZDc4NzZkNzQxMWU3MGY3MjgzZGNlMWZiIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+
CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxMjoxOToxMCArMDIwMApTdWJqZWN0OiBbUEFUQ0ggMi8y
XSBuZXdzOiBBZGQgZW50cnkgZm9yIHVzZXIgYWNjb3VudCBhY3RpdmF0aW9uCiB2dWxuZXJhYmls
aXR5LgoKVE9ETyBmb3IgZ3VpeCBjb21taXR0ZXI6IGNvcnJlY3QgdGhlIGNvbW1pdCBpZCBhcHBy
b3ByaWF0ZWx5LgoKKiBldGMvbmV3cy5zY206IEFkZCBlbnRyeS4KLS0tCiBldGMvbmV3cy5zY20g
fCAxNyArKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKykK
CmRpZmYgLS1naXQgYS9ldGMvbmV3cy5zY20gYi9ldGMvbmV3cy5zY20KaW5kZXggZGVlZGM2OWY2
ZS4uMGNjOWMxODNhMCAxMDA2NDQKLS0tIGEvZXRjL25ld3Muc2NtCisrKyBiL2V0Yy9uZXdzLnNj
bQpAQCAtMTIsNiArMTIsNyBAQAogOzsgQ29weXJpZ2h0IMKpIDIwMjAsIDIwMjEgTWF4aW0gQ291
cm5veWVyIDxtYXhpbS5jb3Vybm95ZXJAZ21haWwuY29tPgogOzsgQ29weXJpZ2h0IMKpIDIwMjEg
TGVvIEZhbXVsYXJpIDxsZW9AZmFtdWxhcmkubmFtZT4KIDs7IENvcHlyaWdodCDCqSAyMDIxIFpo
dSBaaWhhbyA8YWxsX2J1dF9sYXN0QDE2My5jb20+Cis7OyBDb3B5cmlnaHQgwqkgMjAyMSBNYXhp
bWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+CiA7OwogOzsgQ29weWluZyBhbmQgZGlz
dHJpYnV0aW9uIG9mIHRoaXMgZmlsZSwgd2l0aCBvciB3aXRob3V0IG1vZGlmaWNhdGlvbiwgYXJl
CiA7OyBwZXJtaXR0ZWQgaW4gYW55IG1lZGl1bSB3aXRob3V0IHJveWFsdHkgcHJvdmlkZWQgdGhl
IGNvcHlyaWdodCBub3RpY2UgYW5kCkBAIC0yMCw2ICsyMSwyMiBAQAogKGNoYW5uZWwtbmV3cwog
ICh2ZXJzaW9uIDApCiAKKyA7OyBYWFggdG8gZ3VpeCBjb21taXR0ZXJzOiB0aGlzIGNvbW1pdCBs
aWtlbHkgbmVlZHMgdG8gYmUgY2hhbmdlZC4KKyAoZW50cnkgKGNvbW1pdCAiOTY3MmJkMzdiZjUw
ZGIxZTA5ODlkMGI4NDAzNWM0Nzg4NDIyYmQzMSIpCisgICAgICAgICh0aXRsZQorICAgICAgICAg
KGVuICJSaXNrIG9mIGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IGNyZWF0aW9uIG9mIG5l
dyB1c2VyIGFjY291bnRzIikpCisgICAgICAgIChib2R5CisgICAgICAgICAoZW4gIkEgc2VjdXJp
dHkgdnVsbmVyYWJpbGl0eSB0aGF0IGNhbiBsZWFkIHRvIGxvY2FsIHByaXZpbGVnZQorZXNjYWxh
dGlvbiBoYXMgYmVlbiBmb3VuZCBpbiB0aGUgYWN0aXZhdGlvbiBjb2RlIG9mIHVzZXIgYWNjb3Vu
dHMuICBUaGUKK3N5c3RlbSBpcyBvbmx5IHZ1bG5lcmFibGUgZHVyaW5nIHRoZSBhY3RpdmF0aW9u
IG9mIHVzZXIgYWNjb3VudHMgKGluY2x1ZGluZworc3lzdGVtIGFjY291bnRzKSB0aGF0IGRvIG5v
dCBhbHJlYWR5IGV4aXN0LgorCitUaGUgYXR0YWNrIGNvbnNpc3RzIG9mIHRoZSB1c2VyIGxvZ2dp
bmcgaW4gYWZ0ZXIgdGhlIHVzZXIncyBob21lIGRpcmVjdG9yeQoraGFzIGJlZW4gY3JlYXRlZCwg
YnV0IGJlZm9yZSB0aGUgYWN0aXZhdGlvbiBvZiB0aGUgdXNlciBoYXMgYmVlbiBjb21wbGV0ZWQs
CitieSBjcmVhdGluZyBhbiBhcHByb3ByaWF0ZWx5IG5hbWVkIHN5bWJvbGljIGxpbmsgaW4gdGhl
IGhvbWUgZGlyZWN0b3J5Citwb2ludGluZyB0byBhIHNlbnNpdGl2ZSBmaWxlLCBzdWNoIGFzIEBm
aWxley9ldGMvc2hhZG93fS4KKworU2VlIEB1cmVme2h0dHBzOi8vaXNzdWVzLmd1aXguZ251Lm9y
Zy80NzU4NH0gZm9yIG1vcmUgaW5mb3JtYXRpb24gb24gdGhpcyBidWcuIikpKQogIChlbnRyeSAo
Y29tbWl0ICI5YWRlMmI3MjBhZjkxYWNlY2Y3NjI3OGI0ZDliOTlhY2U0MDY3ODFlIikKICAgICAg
ICAgKHRpdGxlCiAgICAgICAgICAoZW4gIlVwZGF0ZSBvbiBwcmV2aW91cyBAY29tbWFuZHtndWl4
LWRhZW1vbn0gbG9jYWwgcHJpdmlsZWdlIGVzY2FsYXRpb24iKQotLSAKMi4zMS4xCgo=


--=-lwc/tHwdLaQ9m82S74Ju--

--=-Bho1bA0qEbYvquJzBgGY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiWNBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7q/qAQDT5qc+LRzX3U7kyva91ZSwtcAb
QiyWn0hoKcCM7ADQLwEAttCr+4GQJnhmgUGMN3dBqaJLg6XXwxcOGFg03XJxhAU=
=Y7kQ
-----END PGP SIGNATURE-----

--=-Bho1bA0qEbYvquJzBgGY--





Information forwarded to bug-guix@HIDDEN:
bug#47584; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 3 Apr 2021 16:09:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 03 12:09:42 2021
Received: from localhost ([127.0.0.1]:34340 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSiqE-0002Cl-Ga
	for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:09:42 -0400
Received: from lists.gnu.org ([209.51.188.17]:38296)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1lSiqC-0002Cc-0z
 for submit <at> debbugs.gnu.org; Sat, 03 Apr 2021 12:09:40 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38384)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
 id 1lSiq8-0006Gb-1b
 for bug-guix@HIDDEN; Sat, 03 Apr 2021 12:09:38 -0400
Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:55356)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maximedevos@HIDDEN>)
 id 1lSiq2-0005Pv-0v
 for bug-guix@HIDDEN; Sat, 03 Apr 2021 12:09:35 -0400
Received: from butterfly.local ([213.132.158.53])
 by andre.telenet-ops.be with bizsmtp
 id oG9N2400A19Qjf101G9Ppo; Sat, 03 Apr 2021 18:09:23 +0200
Message-ID: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@HIDDEN>
Subject: Race condition in
 =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege
 escalation.
From: Maxime Devos <maximedevos@HIDDEN>
To: bug-guix@HIDDEN
Date: Sat, 03 Apr 2021 18:09:16 +0200
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-dbxZ7pU2+iz3DVCXnVex"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1617466163; bh=Wc2nYGPfvJRxWlFIhxd7xBBDHNTSegovXy8fTwBZQKU=;
 h=Subject:From:To:Date;
 b=sl6ikeK39CFtUYOQts38qeioSJL/9Io2+VA5tiCnoysDw9KPeO+2voA4OhvNEg03I
 Gho4iIX+K8phwgMYaKyJXgX9Xz3DnoFJ8fdXOQDZPNaVO2Bo1lFQkOBcKq4eiI0ik4
 mM9pcjjJR8l0ZnMY0mEaOw8iBvF0XsBIYbQkKwmEkWE+FvlRpaZCM56DudDA+EO5tY
 rTxsxVp3LITeE/yzbYH/MKI0QAk+SJK6rNWVKoctg6LBM32Z6KBHJXrzNt993QqPL7
 akdIuYmC0LBDoz5GG5HnWEoZxLmhuKnrTeG9JE9WlEnW0KP+YqRsav4Bi0DwA0ax7k
 qi1lNJ3JmNzhA==
Received-SPF: pass client-ip=2a02:1800:120:4::f00:15;
 envelope-from=maximedevos@HIDDEN; helo=andre.telenet-ops.be
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-dbxZ7pU2+iz3DVCXnVex
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

A TOCTTOU (time-of-check to time-of-use) vulnerability has been found
in the activation code of user accounts, more specifically in the
code that copies the account skeletons.

* Vulnerability

The attack consists of the user being logged in after the account
skeletons have been copied to the home directory, but before the
owner of the account skeletons have been set.  The user then deletes
a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces
it with a symbolic link to a file not owned by the user, such as
@file{/etc/shadow}.

The activation code then changes the ownership
of the file the symbolic link points to instead of the symbolic
link itself.  At that point, the user has read-write access
to the target file.

* Where in the code does this happen?

Module: (gnu build activation).
Procedures: 'copy-account-skeletons' and 'activate-user-home'.

'copy-account-skeletons' creates the home directory, sets it
owner, copies the account skeletons, and chowns the copied skeletons,
in that order.   The bug is that it dereferences symbolic links.

It is called from 'activate-user-home' if the home directory does
not already exist.

* Fix

The fix consist of initially creating the home directory root-owned and onl=
y
changing the owner of the home directory once all skeletons have been copie=
d
and their owner has been set.

* Extra notes

A blog post, a news entry and a fix have been prepared and will be posted
and hopefully merged soon.  The following tests succeeded:

$ make check-system TESTS=3D'switch-to-system upgrade-services install-boot=
loader basic'
$ make check

--=-dbxZ7pU2+iz3DVCXnVex
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiTLBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sOVAQDo/Y4CM3KbVCPqLFr/YOjdA6T2
tOoO8lB90ciLuXdB+AEAtWcTB6Y5+G8r2Dbp6bl2HnFHILDSNQns1H/c80B67A0=
=xuhu
-----END PGP SIGNATURE-----

--=-dbxZ7pU2+iz3DVCXnVex--





Acknowledgement sent to Maxime Devos <maximedevos@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47584; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 3 Apr 2021 16:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.