Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150330053150.GA484@brightrain.aerifal.cx>
Date: Mon, 30 Mar 2015 01:31:50 -0400
From: Rich Felker <dalias@...c.org>
To: busybox@...ybox.net
Cc: musl@...ts.openwall.com
Subject: Busybox on musl is affected by CVE-2015-1817

For details on CVE-2015-1817, see:
http://www.openwall.com/lists/musl/2015/03/30/1

With musl-linked Busybox installed setuid and ping enabled, exploiting
this issue is trivial.

While CVE-2015-1817 is certainly musl's fault, there are two changes
to Busybox I'd like to propose that would have prevented it from being
exploitable:

1. Having setuid utilities like ping obtain the resource they need (in
   the case of ping, SOCK_RAW) without processing user input at all,
   then fully dropping root (setuid(getuid())) before doing anything.
   This has been standard practice for setuid programs since the 90s
   and it feels bad that busybox is not doing it.

2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
   ping, which allows it to run without root.

Do either or both of these sound acceptable?

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.