Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 31 Mar 2015 21:07:19 +0200
From: Denys Vlasenko <>
To: Rich Felker <>
Cc: busybox <>, musl <>
Subject: Re: Busybox on musl is affected by CVE-2015-1817

On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <> wrote:
> For details on CVE-2015-1817, see:
> With musl-linked Busybox installed setuid and ping enabled, exploiting
> this issue is trivial.
> While CVE-2015-1817 is certainly musl's fault, there are two changes
> to Busybox I'd like to propose that would have prevented it from being
> exploitable:
> 1. Having setuid utilities like ping obtain the resource they need (in
>    the case of ping, SOCK_RAW) without processing user input at all,
>    then fully dropping root (setuid(getuid())) before doing anything.
>    This has been standard practice for setuid programs since the 90s
>    and it feels bad that busybox is not doing it.

In general this is acceptable, but with this particular case
and CVE, it wouldn't help.

create_icmp_socket(lsa) needs to know of which address family
the socket should be:

        if (lsa-> == AF_INET6)
                sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
                sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */

This is only known after HOST is parsed.
And CVE is in DNS resolving code :(

> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
>    ping, which allows it to run without root.

This seems to lead to a significantly larger code.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.