Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Apr 2015 00:11:18 +0100
From: Justin Cormack <>
Cc: Rich Felker <>, busybox <>
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817

On 31 March 2015 at 20:07, Denys Vlasenko <> wrote:
> On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <> wrote:
>> For details on CVE-2015-1817, see:
>> With musl-linked Busybox installed setuid and ping enabled, exploiting
>> this issue is trivial.
>> While CVE-2015-1817 is certainly musl's fault, there are two changes
>> to Busybox I'd like to propose that would have prevented it from being
>> exploitable:
>> 1. Having setuid utilities like ping obtain the resource they need (in
>>    the case of ping, SOCK_RAW) without processing user input at all,
>>    then fully dropping root (setuid(getuid())) before doing anything.
>>    This has been standard practice for setuid programs since the 90s
>>    and it feels bad that busybox is not doing it.
> In general this is acceptable, but with this particular case
> and CVE, it wouldn't help.
> create_icmp_socket(lsa) needs to know of which address family
> the socket should be:
>         if (lsa-> == AF_INET6)
>                 sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
>         else
>                 sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */
> This is only known after HOST is parsed.
> And CVE is in DNS resolving code :(

One advantage if the traditional separation of ping and ping6.

>> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
>>    ping, which allows it to run without root.
> This seems to lead to a significantly larger code.

Slightly larger code or security holes. Is it really that much bigger?


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.