Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAOGQQ2-EaBO5nKO35Ni0sfVCncjGQqWU8XU-gsnV36BKZoLhQg@mail.gmail.com>
Date: Tue, 16 Jan 2024 11:36:07 -0300
From: Marco Benatto <mbenatto@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Pavel Raiskup <praiskup@...hat.com>, Zack Miele <zmiele@...hat.com>
Subject: CVE-2023-6395 Mock: Privilege escalation for users that can access
 mock configuration

Summary:

There is a flaw in the Mock software
(https://github.com/rpm-software-management/mock) where an attacker
may achieve privilege escalation and execute arbitrary code as the
root user. This is due to the lack of sandboxing when expanding and
executing Jinja2 templates that may be included in some configuration
parameters.

Mock is a chroot build environment manager for building RPM packages.
Mock uses Jinja2 templates for expanding configuration parameters
through the TemplatedDictionary python class.

This feature was introduced in mock 1.4 back in 2019 [1] and in 2021
the TemplatedDictionary code was split out to a separate project [2].

Mock documentation recommends that users added to the mock group on a
system be treated as privileged users [3]. However, some build systems
that invoke mock on behalf of users may unintentionally allow less
privileged users to define configuration tags that will be passed to
mock as parameters when run. Configuration tags that allow Jinja2
templates could be used to achieve remote privilege escalation and run
arbitrary code as root on the build server.

This issue is being identified by the CVE ID: CVE-2023-6395 with the
following CVSSv3.1 score:

6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The upstream patches for this issue can be found at:
https://github.com/xsuchy/templated-dictionary/commits/main/
https://github.com/xsuchy/templated-dictionary/commit/bcd90f0dafa365575c4b101e6f5d98c4ef4e4b69
https://github.com/xsuchy/templated-dictionary/commit/0740bd0ca8d487301881541028977d120f8b8933

The provided patches target the templated-dictionary module [4].

Please don't hesitate to reach us out in case of any doubts or concerns.

We would like to thank Sankin Nikita Alexeevich, an independent
security researcher, for discovering and reporting this issue.

Thanks,

[1] https://github.com/rpm-software-management/mock/commit/426d973c2917a18303eea243bdf496ff6942bd27
[2] https://github.com/rpm-software-management/mock/commit/c989e28ba92c571c0834e9b5d10ef29340e661f8
[3] https://rpm-software-management.github.io/mock/#setup
[4] https://github.com/xsuchy/templated-dictionary

Marco Benatto
Red Hat Product Security
secalert@...hat.com for urgent response

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.