GNOME Bugzilla – Bug 790939
Gedit user plugins get loaded by root
Last modified: 2020-11-24 09:56:56 UTC
gedit Version: 3.10.4
Ubuntu 14.04.5, Kernel 4.13.0
What I noticed is that if 2 plugins with the same name exist in both default and local locations, the local one overrides the default one. This means that we can copy one of the default plugins’ files to the local plugins directory (no need of special privileges), modify their code to perform malicious actions when gedit loads, and we gain runtime as root whenever the user invokes gedit with sudo.
In other words, once you have write permissions to the home directory of a sudoer user, you only have to wait for that user to open gedit using sudo command, and the plugins from the home directory will be executed with root privileges.
- Place a malicious plugin here, with the name of one of the default, enabled plugins: ~/.local/share/gedit/plugins/.
(No need to enter root password for this file write)
- Wait for the user to open any file with "sudo gedit" and the malicious plugin will be executed with root permissions.
Mass-closing of all gedit bugzilla tickets.
Special "code" to find again all those gedit bugzilla tickets that were open before the mass-closing:
By searching the above sha256sum in bugzilla, the gedit contributors can find again the tickets. We may be interested to do so when we work on a specific area of the code, to at least know the known problems and possible enhancements.
We do this mass-closing because bugzilla.gnome.org is being replaced by gitlab.gnome.org.