Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 25 Aug 2016 10:09:32 -0400 (EDT)
From: cve-assign@...re.org
To: dmoppert@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - sudoers on Red Hat, Fedora, Mageia information disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://bugzilla.redhat.com/show_bug.cgi?id=1339935

> The inclusion of "INPUTRC" in env_keep in /etc/sudoers allowed
> information disclosure through readline-enabled programs parsing the
> named file with elevated privileges. Local users with sudo access could
> read (portions of) specially-formatted files with elevated privileges.

> This flaw is distribution-specific - upstream sudo does not include
> INPUTRC

>> RHEL and Fedora by default include INPUTRC in /etc/sudoers, exposing
>> this issue to users of the default sudo configuration. INPUTRC should
>> not be included in "env_keep" at all, or else somehow restricted to
>> non-restricted shells (ie /bin/sh, /bin/bash).
>> 
>> It is also possible to cause segmentation fault through stack
>> exhaustion in the target application by having INPUTRC specify a file
>> with an $include directive for itself.

Use CVE-2016-7091. The scope of this CVE is the entire 'INPUTRC should
not be included in "env_keep" at all, or else somehow restricted'
problem, which has both the information disclosure and segmentation
fault outcomes.


>>>> https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00012.html

>>>> Since there is already current_readline_init_include_level, maybe
>>>> implementing a max level for $include's would be worthwhile.

>>> I'll consider it for the next version.

If there is a reason that this must also be considered a vulnerability
in readline, please let us know. For example, maybe there are other
common programs that accept an INPUTRC environment variable over the
network during a login session for an authenticated attacker who is
only supposed to be able to execute a single command. Suppose that
this attacker can also create files beginning with $include (e.g., by
writing to a shared filesystem or using FTP upload). The unlimited
include level might allow much more resource consumption than
intended. Another possibility is that the INPUTRC environment variable
could specify a file that should not be read by this type of
restricted account, e.g., the /dev/zero file. However, we do not know
of a realistic attack scenario in which readline would be considered
the vulnerable software. There are no other CVE IDs -- either for
readline or for any other software -- at this time.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXvvuFAAoJEHb/MwWLVhi2ucMQAKsQXvK2gNQ6/9pOTw4h8S/o
9W2+DM+LsA2SgVI5IpsACmQqMTWN2mCPuSL/+Ba6PD7Tcda0TA7wsqfgw0kIJUEr
etlI9ifWlCwWjpO9mwhPmJAPLPj2AX65JcbdTZpEK472zJNdeF8R4+QA+FJ9y4+G
/UCkSRiH826E96shfmqadYaztcNLRtIfCgmXSiHsaRrkTyGKYIyQMynqxoqrG8Qg
tztX0rIs9oMG+1BqHdJU+aV2vHnGMTRnqoVW7oPObsfTrgBzJrMNOyoY33ZpNDMQ
GWzySg09zPt0qayktjA/tuqdkNEswq1Qirmr7Ai8rODuHBdK9+oJGMTuqC1NmaAr
ZSilLQl1mnwgPMXD9THK2Dui7th4WCPEB+pp+zQ0uDogpuknzzwuftZLuYrHPFsp
WsGiE7bEy4Uh1LK0ROLsd23bXuoYaIBj/iiQNUoEDckQYBuZRn0ZCYXyVjL7guLh
ApQ4j5zYt++h0TzolF1t+2fw3SrCVuV4OE0gdmkcaDWCVgwvc/s/+ADZJUlongG3
VTFzG8iy4gJ8F+JOrJS7qX0g+wykDtDSqPfuDAhzgkQyS6MHwOJMM8g6UtsUlyYE
LY8CaZJpLMNSf1+NbLzoHpaMt0Vys+cHOiBvwDfvwlseR9Wd91xDAOFcgxEAr8Av
GulJIV7CVPniP8lUCUhY
=B2yA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ