Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Jul 2016 11:49:28 +0200
From: Bálint Réczey <>
Cc: "Eric W. Biederman" <>, 
	Shadow package maintainers <>
Subject: Re: Re: [Pkg-shadow-devel] subuid security patches for
 shadow package


While this is not immediately clear from the Shadow homepage the
development continued on GitHub where I have opened two issues
for the two potential security problems:

Incorrect integer handling CVE-2016-6252:

Potentially unsafe use of getlogin CVE-2016-6251:

Probably upstream's issue tracker would be the best place
to discuss the fixes in detail. With upstream development
happening on GitHub the pkg-shadow-devel list could host
mostly Debian-packaging releated discussions and probably
not all oss-security subscribers would like to get all the


2016-07-25 10:39 GMT+02:00 Sebastian Krahmer <>:
> On Mon, Jul 25, 2016 at 10:03:31AM +0200, Sebastian Krahmer wrote:
>> On Wed, Jul 20, 2016 at 11:48:52PM +0200, Nicolas François wrote:
>> > Hi,
>> >
>> > The first point looks like a non issue to me.
>> >
>> > getlogin() is used to differentiate users with the same UID.
>> > The result of getlogin() is checked: if it returns a username that do not
>> > have the UID returned by getuid(), it will be ignored.
>> >
>> >
>> > Best Regards,
>> > --
>> > Nekral
>> I agree that its not a severe issue. But its dubious code at best.
>> I couldnt even imagine someone would have usernames with different UID's?
>> Maybe such configs should not be encouraged and potential issues with
>> that discussed.
>> My understanding of secure coding is that getlogin() should not
>> be trusted. Having same username with multiple UIDs is also to be avoided
>> IMHO, since its asking for trouble (I dont know if thats some requirement
>> of LSB or POSIX or so?)
> Err, sorry. Shared UID, different name (the other way around, thanks Alex).
> But then you are open to GID hopping attacks (as also previously
> pointed out) since you actually _do_ rely on getlogin() trust.
> Sebastian
> --
> ~ perl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ