[SECURITY ADVISORY] seatd-launch: remove files with escalated privileges with SUID

Message ID
DKIM signature
Download raw message
seatd-launch: remove files with escalated privileges with SUID

This security advisory describes a vulnerability in seatd-launch 
shipped as part of seatd release 0.6.0, 0.6.1, 0.6.2 and 0.6.3. The 
vulnerability was fixed in seatd release 0.6.4.


seatd-launch could use a user-specified socket path instead of the 
internally generated socket path, and would unlink the socket path 
before use to guard against collision with leftover sockets. This meant 
that a caller could freely control what file path would be unlinked and 
replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious 
user to remove files with the privileges of the owner of seatd-launch, 
which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, 
and the user-owned socket file is at the current time not believed to 
be directly useful for further exploitation.


The vulnerability was first introduced in 48727a0b6bc2 when 
implementing command line argument support in seatd-launch.

To be vulnerable, the seatd-launch executable must be installed with 
the SUID bit set. The SUID bit is not set by the build system 
installation process, and must be done by either the package maintainer 
or user.

seatd and libseat are not affected by this vulnerability.

A CVE ID has been requested and will follow when issued.


    Affected: 0.6.0, 0.6.1, 0.6.2, 0.6.3
    Not affected: >= 0.6.4

seatd-launch did not exist prior to 0.6.0.


seatd 0.6.4 contains a security fix that addresses the vulnerability by 
removing support for user-specified socket paths from seatd-launch.


    A - Upgrade to version 0.6.4

    B - Remove seatd-launch if installed with the SUID bit set


    2022-02-21: The vulnerability is discovered by the project authors
    2022-02-21: A fix is released and a security advisory is posted
Message ID
<ETEO7R.QG8B1KGD531R1@kl.wtf> (view parent)
DKIM signature
Download raw message
The vulnerability has been assigned CVE-2022-25643.

The CVE data is expected to become public shortly.
Reply to thread Export thread (mbox)