Advisories for Cargo/Pleaser package

please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX are disabled, this cannot be exploited.) Here is how to see it in action: $ cd "$(mktemp -d)" $ git clone –depth 1 https://gitlab.com/edneville/please.git $ cd please/ $ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9 $ cargo test && cargo build –release $ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini $ sudo chown root:root …

pleaseedit in pleaser before 0.4.0 uses predictable temporary filenames in /tmp and the target directory. This allows a local attacker to gain full root privileges by staging a symlink attack.

Failure to normalize the umask in pleaser before 0.4.0 allows a local attacker to gain full root privileges if they are allowed to execute at least one command.

pleaser before 0.4.0 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the search_path function, the –check option, or the -d option.