Hello packagers,
the SUSE security team wants to draw your attention to a potential security
threat involving the use of `quilt setup ...` on untrusted RPM spec files.
For many of us calling `quilt setup $PACKAGE.spec` is probably a frequent part
of our daily workflows. In contrast to building a package on the server in an
isolated VM or on the client in a chroot via `osc build`, the `quilt setup`
runs without any isolation on the host in the calling user's context. As it
turns out this operation easily allows to execute code in the following ways:
- The statements in the `%prep` section of the RPM spec file are
unconditionally executed in the context of the calling user.
- Arbitrary flags can be passed to `patch` via `%define _default_patch_flags
...` in the spec file. By embedding semicolons into the flags also arbitrary
commands can be injected this way.
- By combining the available vectors, difficult to spot malicious code can be
hidden in RPM spec files. For example patch can be caused to follow
symlinks, thereby "patching" files in a user's home directory as demonstrated
in [1].
A demonstration works like this:
```sh
$ osc co home:mgerstner/surprise
$ cd home:mgerstner/surprise
$ quilt setup surprise.spec
# notice the surprise
$ bash
```
We have posted about this on the oss-security mailing list [2] to start a
discussion about possible countermeasures. A first aid could be to run the
`quilt setup` inside a docker container or in a similar isolated environment.
We are currently testing isolation of quilt with nsjail [3]. nsjail RPMs are
available for Leap 15 and Tumbleweed from its devel project [4]. It is
currently not found in Factory/Leap directly. Via the wrapper "squilt" [5],
nsjail is utilized to confine quilt to read only the files it needs and is
only able to write in the current directory. According to our initial testing
it can be used as a drop in replacement and should reduce the attack surface
significantly.
Our foremost intent is to make you aware of this so you don't run `quilt
setup` unsuspectingly on untrusted packages that did not go through review.
Furthermore to make you aware of how malicious code that targets this can be
embedded in spec files and patches. This should be taken into account when
reviewing package submissions.
If you have any questions or suggestions then please let's start a discussion.
[1]: https://build.opensuse.org/package/show/home:mgerstner/surprise
[2]: https://www.openwall.com/lists/oss-security/2018/09/27/2
[3]: http://nsjail.com
[4]: https://build.opensuse.org/package/show/security/nsjail
[5]: https://github.com/jsegitz/squilt
--
Matthias Gerstner