CVE-2020-36770: 
Linux Gentoo vulnerability analysis and mitigation

CVE-2020-36770 affects the Gentoo ebuild for Slurm through version 22.05.3. The vulnerability exists in the pkg_postinst function which unnecessarily calls chown to assign root's ownership on files in the live root filesystem. This vulnerability was discovered in 2017 and publicly disclosed in January 2024 (NVD, Gentoo Bug).

The vulnerability stems from the pkg_postinst() function in the Slurm ebuild which uses 'chown -R' recursively on directories in the live root filesystem. If a hard link pointing to a root-owned file is placed in one of the affected paths by the slurm user, when Slurm is reinstalled or upgraded, the chown command will affect the target of the link and give ownership of the file to slurm:slurm. This creates a privilege escalation path (Gentoo Bug).

This vulnerability allows the slurm user to gain root privileges by exploiting the recursive chown operation during package installation or upgrade. An attacker with slurm user access could take ownership of root-owned files, effectively escalating their privileges on the system (NVD).

The vulnerability was initially addressed by removing the recursive (-R) flag from the chown command in the ebuild. However, this fix was deemed insufficient as the package was still vulnerable upon reinstallation. The ultimate resolution involved removing the affected versions from the Gentoo tree and later reintroducing a fixed version 24.05.3 that handles directory permissions properly (Gentoo Bug).