Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Jul 2016 11:49:28 +0200
From: Bálint Réczey <balint@...intreczey.hu>
To: oss-security@...ts.openwall.com
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, 
	Shadow package maintainers <pkg-shadow-devel@...ts.alioth.debian.org>
Subject: Re: Re: [Pkg-shadow-devel] subuid security patches for
 shadow package

Hi,

While this is not immediately clear from the Shadow homepage the
development continued on GitHub where I have opened two issues
for the two potential security problems:

Incorrect integer handling CVE-2016-6252:
https://github.com/shadow-maint/shadow/issues/27

Potentially unsafe use of getlogin CVE-2016-6251:
https://github.com/shadow-maint/shadow/issues/28

Probably upstream's issue tracker would be the best place
to discuss the fixes in detail. With upstream development
happening on GitHub the pkg-shadow-devel list could host
mostly Debian-packaging releated discussions and probably
not all oss-security subscribers would like to get all the
messages.

Cheers,
Balint

2016-07-25 10:39 GMT+02:00 Sebastian Krahmer <krahmer@...e.com>:
> On Mon, Jul 25, 2016 at 10:03:31AM +0200, Sebastian Krahmer wrote:
>> On Wed, Jul 20, 2016 at 11:48:52PM +0200, Nicolas François wrote:
>> > Hi,
>> >
>> > The first point looks like a non issue to me.
>> >
>> > getlogin() is used to differentiate users with the same UID.
>> > The result of getlogin() is checked: if it returns a username that do not
>> > have the UID returned by getuid(), it will be ignored.
>> >
>> >
>> > Best Regards,
>> > --
>> > Nekral
>>
>> I agree that its not a severe issue. But its dubious code at best.
>> I couldnt even imagine someone would have usernames with different UID's?
>> Maybe such configs should not be encouraged and potential issues with
>> that discussed.
>>
>> My understanding of secure coding is that getlogin() should not
>> be trusted. Having same username with multiple UIDs is also to be avoided
>> IMHO, since its asking for trouble (I dont know if thats some requirement
>> of LSB or POSIX or so?)
>
> Err, sorry. Shared UID, different name (the other way around, thanks Alex).
> But then you are open to GID hopping attacks (as also previously
> pointed out) since you actually _do_ rely on getlogin() trust.
>
> Sebastian
>
> --
>
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer@...e.com - SuSE Security Team
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ