Bugzilla – Bug 1212407
VUL-0: CVE-2023-1521: sccache: Local Privilege Escalation in sccache
Last modified: 2024-02-27 12:02:30 UTC
On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD. Quietly fixed in v0.4.0 without any mention in the release notes that there was a vulnerability. References: https://securitylab.github.com/advisories/GHSL-2023-046_ScCache/
Affected packages: - SUSE:SLE-15-SP3:Update/sccache - SUSE:SLE-15-SP4:Update/sccache Already fixed: - openSUSE:Factory/sccache Patch: https://github.com/mozilla/sccache/commit/098ab804ad6cfe6236a45ab695e9d500b61f1614.patch
I don't think we need to action this. We never run sccache as root. It's always run as the user, who self-connects to the server. The "priv esc" is ubuntu specific in snap. And the ability to LD_PRELOAD is already allowing you to do many nasty things anyway. Given that sccache is a tool for our build servers, where a vm uses sccache as it's own user, and it's all sandboxed, I don't think we have a problem here, since OBS is "remote code exec" as a service already. For developers, sccache is run as themself on their own machine, when they compile. In both cases your only really getting access to ... yourself? IMO we don't have to do anything here.
Hi William, I fully agree with you. In case sccache is used with the same privileges as the exploiting user there's no loot and no pain, and all the cases you mention fall into that. Anyway, according to our _channel files I see that we also ship this package to other products like: openSUSE-SLE_15.4, openSUSE-SLE_15.5, SLE-Product-SLES_15-SP3-LTSS, etc. In these cases we cannot assume the way the user is going to use/run sccache, therefore I would proceed to provide the security update anyway.
SUSE-SU-2023:3526-1: An update that solves four vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1181400, 1194119, 1196972, 1208553, 1212407 CVE References: CVE-2021-45710, CVE-2022-24713, CVE-2022-31394, CVE-2023-1521 Sources used: openSUSE Leap 15.4 (src): sccache-0.4.2~3-150400.3.3.1 openSUSE Leap 15.5 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP4 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP5 (src): sccache-0.4.2~3-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2637-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1208553, 1212407 CVE References: CVE-2022-31394, CVE-2023-1521 Sources used: openSUSE Leap 15.3 (src): sccache-0.4.1~18-150300.7.12.1 Development Tools Module 15-SP5 (src): sccache-0.4.1~18-150300.7.12.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): sccache-0.4.1~18-150300.7.12.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): sccache-0.4.1~18-150300.7.12.1 SUSE Linux Enterprise Real Time 15 SP3 (src): sccache-0.4.1~18-150300.7.12.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): sccache-0.4.1~18-150300.7.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): sccache-0.4.1~18-150300.7.12.1 SUSE Enterprise Storage 7.1 (src): sccache-0.4.1~18-150300.7.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.