seatd-launch: remove files with escalated privileges with SUID
This security advisory describes a vulnerability in seatd-launch
shipped as part of seatd release 0.6.0, 0.6.1, 0.6.2 and 0.6.3. The
vulnerability was fixed in seatd release 0.6.4.
seatd-launch could use a user-specified socket path instead of the
internally generated socket path, and would unlink the socket path
before use to guard against collision with leftover sockets. This meant
that a caller could freely control what file path would be unlinked and
replaced with a user-owned seatd socket for the duration of the session.
If seatd-launch had the SUID bit set, this could be used by a malicious
user to remove files with the privileges of the owner of seatd-launch,
which is likely root, and replace it with a user-owned domain socket.
This does not directly allow retrieving the contents of existing files,
and the user-owned socket file is at the current time not believed to
be directly useful for further exploitation.
The vulnerability was first introduced in 48727a0b6bc2 when
implementing command line argument support in seatd-launch.
To be vulnerable, the seatd-launch executable must be installed with
the SUID bit set. The SUID bit is not set by the build system
installation process, and must be done by either the package maintainer
seatd and libseat are not affected by this vulnerability.
A CVE ID has been requested and will follow when issued.
Affected: 0.6.0, 0.6.1, 0.6.2, 0.6.3
Not affected: >= 0.6.4
seatd-launch did not exist prior to 0.6.0.
seatd 0.6.4 contains a security fix that addresses the vulnerability by
removing support for user-specified socket paths from seatd-launch.
A - Upgrade to version 0.6.4
B - Remove seatd-launch if installed with the SUID bit set
2022-02-21: The vulnerability is discovered by the project authors
2022-02-21: A fix is released and a security advisory is posted