sccache vulnerable to privilege escalation if server is run as root
Description
Published to the GitHub Advisory Database
May 30, 2023
Reviewed
May 30, 2023
Published by the National Vulnerability Database
Nov 26, 2024
Last updated
Nov 26, 2024
Impact
On Linux the
sccache
client can execute arbitrary code with the privileges of a localsccache
server, by preloading the code in a shared library passed toLD_PRELOAD
.If the server is run as root (which is the default when installing the snap package), this means a user running the
sccache
client can get root privileges.Patches
Upgrade to 0.4.0
Workarounds
Don't run sccache server as root.
GitHub Security Lab number
GHSL-2023-046
References