Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Aug 2011 23:43:03 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization

On Fri, Aug 12, 2011 at 09:37:19PM +0200, Tomas Hoger wrote:
> On Mon, 25 Jul 2011 08:57:10 +0200 Sebastian Krahmer wrote:
> 
> > On Fri, Jul 22, 2011 at 03:56:22PM -0400, Josh Bressers wrote:
> > > I presume this only needs one ID
> > > 
> > > Use CVE-2011-2709
> > 
> > You probably speak about:
> > 
> > http://www.suse.de/~krahmer/libs-vs-fscaps/
> 
> I believe Josh was referring to libgssapi and libgssglue mentioned in
> the subject.  It's the same code in both, libgssglue is libgssapi
> renamed.
> 
> Would you mind sharing the patch you used in SLE packages?  It does not
> seem to have been fixed in OpenSUSE yet.  Thanks!

I just did a basic uid check.

Index: libgssglue-0.1/src/g_initialize.c
===================================================================
--- libgssglue-0.1.orig/src/g_initialize.c
+++ libgssglue-0.1/src/g_initialize.c
@@ -34,6 +34,8 @@
 #include <ctype.h>
 #include <errno.h>
 #include <syslog.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #ifdef USE_SOLARIS_SHARED_LIBRARIES
 #include <dlfcn.h>
@@ -195,7 +197,8 @@ static void solaris_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
 	filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {
@@ -270,7 +273,8 @@ static void linux_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
 	filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ