Date: Thu, 25 Aug 2016 10:09:32 -0400 (EDT) From: cve-assign@...re.org To: dmoppert@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request - sudoers on Red Hat, Fedora, Mageia information disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://bugzilla.redhat.com/show_bug.cgi?id=1339935 > The inclusion of "INPUTRC" in env_keep in /etc/sudoers allowed > information disclosure through readline-enabled programs parsing the > named file with elevated privileges. Local users with sudo access could > read (portions of) specially-formatted files with elevated privileges. > This flaw is distribution-specific - upstream sudo does not include > INPUTRC >> RHEL and Fedora by default include INPUTRC in /etc/sudoers, exposing >> this issue to users of the default sudo configuration. INPUTRC should >> not be included in "env_keep" at all, or else somehow restricted to >> non-restricted shells (ie /bin/sh, /bin/bash). >> >> It is also possible to cause segmentation fault through stack >> exhaustion in the target application by having INPUTRC specify a file >> with an $include directive for itself. Use CVE-2016-7091. The scope of this CVE is the entire 'INPUTRC should not be included in "env_keep" at all, or else somehow restricted' problem, which has both the information disclosure and segmentation fault outcomes. >>>> https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00012.html >>>> Since there is already current_readline_init_include_level, maybe >>>> implementing a max level for $include's would be worthwhile. >>> I'll consider it for the next version. If there is a reason that this must also be considered a vulnerability in readline, please let us know. For example, maybe there are other common programs that accept an INPUTRC environment variable over the network during a login session for an authenticated attacker who is only supposed to be able to execute a single command. Suppose that this attacker can also create files beginning with $include (e.g., by writing to a shared filesystem or using FTP upload). The unlimited include level might allow much more resource consumption than intended. Another possibility is that the INPUTRC environment variable could specify a file that should not be read by this type of restricted account, e.g., the /dev/zero file. However, we do not know of a realistic attack scenario in which readline would be considered the vulnerable software. There are no other CVE IDs -- either for readline or for any other software -- at this time. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXvvuFAAoJEHb/MwWLVhi2ucMQAKsQXvK2gNQ6/9pOTw4h8S/o 9W2+DM+LsA2SgVI5IpsACmQqMTWN2mCPuSL/+Ba6PD7Tcda0TA7wsqfgw0kIJUEr etlI9ifWlCwWjpO9mwhPmJAPLPj2AX65JcbdTZpEK472zJNdeF8R4+QA+FJ9y4+G /UCkSRiH826E96shfmqadYaztcNLRtIfCgmXSiHsaRrkTyGKYIyQMynqxoqrG8Qg tztX0rIs9oMG+1BqHdJU+aV2vHnGMTRnqoVW7oPObsfTrgBzJrMNOyoY33ZpNDMQ GWzySg09zPt0qayktjA/tuqdkNEswq1Qirmr7Ai8rODuHBdK9+oJGMTuqC1NmaAr ZSilLQl1mnwgPMXD9THK2Dui7th4WCPEB+pp+zQ0uDogpuknzzwuftZLuYrHPFsp WsGiE7bEy4Uh1LK0ROLsd23bXuoYaIBj/iiQNUoEDckQYBuZRn0ZCYXyVjL7guLh ApQ4j5zYt++h0TzolF1t+2fw3SrCVuV4OE0gdmkcaDWCVgwvc/s/+ADZJUlongG3 VTFzG8iy4gJ8F+JOrJS7qX0g+wykDtDSqPfuDAhzgkQyS6MHwOJMM8g6UtsUlyYE LY8CaZJpLMNSf1+NbLzoHpaMt0Vys+cHOiBvwDfvwlseR9Wd91xDAOFcgxEAr8Av GulJIV7CVPniP8lUCUhY =B2yA -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ