Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 30 Jul 2015 06:29:28 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

On Thu, Jul 23, 2015 at 10:09:54AM -0700, Qualys Security Advisory wrote:
> Qualys Security Advisory
> 
> CVE-2015-3245 userhelper chfn() newline filtering
> 
> CVE-2015-3246 libuser passwd file handling
> 
> 
> --[ Summary ]-----------------------------------------------------------------
> 
> The libuser library implements a standardized interface for manipulating
> and administering user and group accounts, and is installed by default
> on Linux distributions derived from Red Hat's codebase. During an
> internal code audit at Qualys, we discovered multiple libuser-related
> vulnerabilities that allow local users to perform denial-of-service and
> privilege-escalation attacks. As a proof of concept, we developed an
> unusual local root exploit against one of libuser's applications.

Excellent work, Qualys!

However, this brings up the question: why didn't Red Hat do a security
audit of this software they developed before putting it into their
distros?  I think Red Hat's own security team would have spotted these
issues if it were tasked with proactive security audits of internally
developed software (or of small yet critical components like this)
rather than only(?) with security response.  (I am writing this without
knowledge of how Red Hat's security team operates internally.  I am
merely guessing.)  These are not some subtle bugs that one could easily
overlook in a large codebase.  These are clear design flaws, of the kind
we used to see found and fixed in 1990s, in small and obviously
security-critical components.

I understand there's probably more than enough security response work to
keep the existing security team 100% busy, so maybe another sub-team is
needed for this - or it can be outsourced, e.g. to Qualys or Openwall. ;-)

The recent ABRT and apport findings by Tavis Ormandy and these userhelper
and libuser findings by Qualys suggest that what's now known as Secure
Software Development Life Cycle (S-SDLC) is missing at both Red Hat and
Canonical.  Will this change?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.