Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Oct 2011 12:42:42 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vasiliy Kulikov <segoon@...nwall.com>
Subject: Re: radvd 1.8.2 released with security fixes

On 10/07/2011 04:22 AM, Solar Designer wrote:

> 3) The radvd daemon would not fail on privsep_init() errors, which could
> cause it to run with full root privileges when it should be running as
> an unprivileged user. (CVE-2011-3603)
>

I think this is not an issue at all:

If you look at the unpatched code, in privsep-linux.c, privsep_init() 
can return -1 at two places.

A. if pipe(pipefds) fails
B. If fork() fails

If either of these functions fails, the end result is that there is no 
fork() and radvd runs as a single process.

Now looking at radvd.c


         /* drop root privileges if requested. */
         if (username) {
                 if (!singleprocess) {
                         dlog(LOG_DEBUG, 3, "Initializing privsep");
                         if (privsep_init() < 0)
                                 flog(LOG_WARNING, "Failed to initialize 
privsep.");
                 }

                 if (drop_root_privileges(username) < 0) {
                         perror("drop_root_privileges");
                         exit(1);
                 }
         }


After running privsep_init(), drop_root_privileges() is run, so :

a. if privsep_init() failed and drop_root_privileges() did not fail, you 
end up running a single radvd process running as radvd user, which is 
similar to running "radvd --singleprocess"

b. if privsep_init() failed and drop_root_privileges() failed, you bail 
out of the program, similar to what would happen if privsep_init() did 
not fail.

c. if privsep_init() and drop_root_privileges() did not fail, we have 
two radvd process, one running as radvd user and the other is root

So from what i can see, the maximum harm which would occur if 
privsep_init() fails, is that radvd would effectively run in 
--singleprocess mode





-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.