Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 19:50:38 -0400
From: christos@...las.com (Christos Zoulas)
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: powerdns does not clear supplementary groups

On May 24,  7:18pm, sgrubb@...hat.com (Steve Grubb) wrote:
-- Subject: Re: [oss-security] CVE Request: powerdns does not clear supplemen

| On Thursday, May 24, 2012 06:56:46 PM Solar Designer wrote:
| > On Thu, May 24, 2012 at 06:15:53PM -0400, Steve Grubb wrote:
| > > Here is a real life case:
| > > 
| > > + if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
| > > +                                setuid(pw->pw_uid) != 0 )
| > > 
| > > This is not upstream. This is a patch to drop capabilities by changing
| > > uid/gid. The person writing the patch intended to do the right thing -
| > > but failed. See the bug? This is in a network facing daemon that parses
| > > untrusted network packets.
| > 
| > Wow.  The NULL results in group 0 being added to the supplementary
| > groups list (so it survives the setgid(), at least on my quick test).
| 
| Yes. If you put that one snippet of code into google, you would find arpwatch is 
| the culprit.

there is one more:

http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch

christos

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ