Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Aug 2011 23:43:03 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization

On Fri, Aug 12, 2011 at 09:37:19PM +0200, Tomas Hoger wrote:
> On Mon, 25 Jul 2011 08:57:10 +0200 Sebastian Krahmer wrote:
> 
> > On Fri, Jul 22, 2011 at 03:56:22PM -0400, Josh Bressers wrote:
> > > I presume this only needs one ID
> > > 
> > > Use CVE-2011-2709
> > 
> > You probably speak about:
> > 
> > http://www.suse.de/~krahmer/libs-vs-fscaps/
> 
> I believe Josh was referring to libgssapi and libgssglue mentioned in
> the subject.  It's the same code in both, libgssglue is libgssapi
> renamed.
> 
> Would you mind sharing the patch you used in SLE packages?  It does not
> seem to have been fixed in OpenSUSE yet.  Thanks!

I just did a basic uid check.

Index: libgssglue-0.1/src/g_initialize.c
===================================================================
--- libgssglue-0.1.orig/src/g_initialize.c
+++ libgssglue-0.1/src/g_initialize.c
@@ -34,6 +34,8 @@
 #include <ctype.h>
 #include <errno.h>
 #include <syslog.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #ifdef USE_SOLARIS_SHARED_LIBRARIES
 #include <dlfcn.h>
@@ -195,7 +197,8 @@ static void solaris_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
 	filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {
@@ -270,7 +273,8 @@ static void linux_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
 	filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.