After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 790939 - Gedit user plugins get loaded by root
Gedit user plugins get loaded by root
Product: gedit
Classification: Applications
Component: general
Other Linux
: Normal normal
: ---
Assigned To: Gedit maintainers
Gedit maintainers
Depends on:
Reported: 2017-11-28 13:28 UTC by donazouni
Modified: 2020-11-24 09:56 UTC
See Also:
GNOME target: ---
GNOME version: ---

Description donazouni 2017-11-28 13:28:09 UTC
Tested on:
gedit Version: 3.10.4
Ubuntu 14.04.5, Kernel 4.13.0

What I noticed is that if 2 plugins with the same name exist in both default and local locations, the local one overrides the default one. This means that we can copy one of the default plugins’ files to the local plugins directory (no need of special privileges), modify their code to perform malicious actions when gedit loads, and we gain runtime as root whenever the user invokes gedit with sudo.

In other words, once you have write permissions to the home directory of a sudoer user, you only have to wait for that user to open gedit using sudo command, and the plugins from the home directory will be executed with root privileges.

Reproduction details:
-   Place a malicious plugin here, with the name of one of the default, enabled plugins: ~/.local/share/gedit/plugins/.
    (No need to enter root password for this file write)
-   Wait for the user to open any file with "sudo gedit" and the malicious plugin will be executed with root permissions.
Comment 1 Sébastien Wilmet 2020-11-24 09:56:56 UTC
Mass-closing of all gedit bugzilla tickets.

Special "code" to find again all those gedit bugzilla tickets that were open before the mass-closing:


By searching the above sha256sum in bugzilla, the gedit contributors can find again the tickets. We may be interested to do so when we work on a specific area of the code, to at least know the known problems and possible enhancements.

We do this mass-closing because is being replaced by