Lucene search

Gentoo FoundationGLSA-202305-14

HistoryMay 03, 2023 - 12:00 a.m.

uptimed: Root Privilege Escalation

2023-05-0300:00:00

Gentoo Foundation

security.gentoo.org

uptimed

privilege escalation

ownership modifications

upgrade

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Background

uptimed is a system uptime record daemon that keeps track of your highest uptimes.

Description

Via unnecessary file ownership modifications in the pkg_postinst ebuild phase, the uptimed user could change arbitrary files to be owned by the uptimed user at emerge-time.

Impact

The uptimed user could achieve root privileges when the uptimed package is emerged.

Workaround

There is no known workaround at this time.

Resolution

All uptimed users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=app-misc/uptimed-0.4.6-r1"

OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-misc/uptimed< 0.4.6-r1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	app-misc/uptimed	< 0.4.6-r1	UNKNOWN

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for GLSA-202305-14