Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Apr 2015 08:52:51 +0100
From: Raphael Cohn <raphael.cohn@...rmmq.com>
To: musl@...ts.openwall.com
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817

Rich, Justin, Rune: Seconded. The need for a discussion here is deeply
worrying. It's not smaller code if it's insecure code. And given two very
viable techniques, it seems moot.

Personally, I'd be in favour of the SOCK_DGRAM approach, as it eliminates
the need for setuid. How difficult would it be for someone to maintain this
patch in a forked BusyBox, or as a compile option (turned on by default)?
(I'd be happy to help with this). Is this something Alpine Linux might
consider?

On 1 April 2015 at 08:41, <u-wsnj@...ey.se> wrote:

> On Tue, Mar 31, 2015 at 07:48:10PM -0400, Rich Felker wrote:
> > > > 2. Reconsider the rejection of the patch to add SOCK_DGRAM support
> for
> > > >    ping, which allows it to run without root.
> > >
> > > This seems to lead to a significantly larger code.
> >
> > I don't recall the exact amount, but given that busybox's suid
> > framework is not taking any precautions to mitigate the risks of suid
> > (not to mention that eliminating all suids is a goal of some
> > security-conscious systems integrators)
>
> Yes it is here (the goal).
>
> Suid is a very old and nowadays quite redundant tool, mostly holding
> ground due to its "simplicity" (say, compared to talking to a daemon)
> and to the tradition. Seen from a different perspective, it is from the
> pre-network epoch ("the computer is the universe") and enforces among
> others hardcoded paths - which is a PITA for reusable and globally
> placed software.
>
> > I think it would be worth it
> > even if it doubled the size of the ping utility (which it does not).
>
> +1
>
> Rune
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.