Date: Fri, 20 Jan 2017 12:15:14 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE Request: two flaws in hesiod permitting privilege elevation Two flaws in Hesiod reported May 2016 - neither has made it into an upstream release yet, but one is fixed in trunk and patches are available for both. Note that glibc is not affected by either of these issues. Originally reported by Florian Weimer. # Weak SUID check allowing privilege elevation Hesiod unsafely checks EUID vs UID in a few places, consulting environment variables for configuration if they match. This could be used for privilege elevation under some circumstances. The fix uses secure_getenv() in place of getenv(). https://bugzilla.redhat.com/show_bug.cgi?id=1332508 https://github.com/achernya/hesiod/pull/9 # Use of hard-coded DNS domain if configuration file cannot be read If opening the configuration file fails, hesiod falls back on a default domain ".athena.mit.edu" to retrieve managed information. A local attacker with the opportunity to poison DNS cache could potentially elevate their privileges to root by causing fopen() to fail. https://bugzilla.redhat.com/show_bug.cgi?id=1332493 https://github.com/achernya/hesiod/pull/10 Thanks, -- Doran Moppert Red Hat Product Security Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ