Date: Thu, 30 Jul 2015 06:29:28 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On Thu, Jul 23, 2015 at 10:09:54AM -0700, Qualys Security Advisory wrote: > Qualys Security Advisory > > CVE-2015-3245 userhelper chfn() newline filtering > > CVE-2015-3246 libuser passwd file handling > > > --[ Summary ]----------------------------------------------------------------- > > The libuser library implements a standardized interface for manipulating > and administering user and group accounts, and is installed by default > on Linux distributions derived from Red Hat's codebase. During an > internal code audit at Qualys, we discovered multiple libuser-related > vulnerabilities that allow local users to perform denial-of-service and > privilege-escalation attacks. As a proof of concept, we developed an > unusual local root exploit against one of libuser's applications. Excellent work, Qualys! However, this brings up the question: why didn't Red Hat do a security audit of this software they developed before putting it into their distros? I think Red Hat's own security team would have spotted these issues if it were tasked with proactive security audits of internally developed software (or of small yet critical components like this) rather than only(?) with security response. (I am writing this without knowledge of how Red Hat's security team operates internally. I am merely guessing.) These are not some subtle bugs that one could easily overlook in a large codebase. These are clear design flaws, of the kind we used to see found and fixed in 1990s, in small and obviously security-critical components. I understand there's probably more than enough security response work to keep the existing security team 100% busy, so maybe another sub-team is needed for this - or it can be outsourced, e.g. to Qualys or Openwall. ;-) The recent ABRT and apport findings by Tavis Ormandy and these userhelper and libuser findings by Qualys suggest that what's now known as Secure Software Development Life Cycle (S-SDLC) is missing at both Red Hat and Canonical. Will this change? Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ