Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Jul 2015 06:29:28 +0300
From: Solar Designer <>
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

On Thu, Jul 23, 2015 at 10:09:54AM -0700, Qualys Security Advisory wrote:
> Qualys Security Advisory
> CVE-2015-3245 userhelper chfn() newline filtering
> CVE-2015-3246 libuser passwd file handling
> --[ Summary ]-----------------------------------------------------------------
> The libuser library implements a standardized interface for manipulating
> and administering user and group accounts, and is installed by default
> on Linux distributions derived from Red Hat's codebase. During an
> internal code audit at Qualys, we discovered multiple libuser-related
> vulnerabilities that allow local users to perform denial-of-service and
> privilege-escalation attacks. As a proof of concept, we developed an
> unusual local root exploit against one of libuser's applications.

Excellent work, Qualys!

However, this brings up the question: why didn't Red Hat do a security
audit of this software they developed before putting it into their
distros?  I think Red Hat's own security team would have spotted these
issues if it were tasked with proactive security audits of internally
developed software (or of small yet critical components like this)
rather than only(?) with security response.  (I am writing this without
knowledge of how Red Hat's security team operates internally.  I am
merely guessing.)  These are not some subtle bugs that one could easily
overlook in a large codebase.  These are clear design flaws, of the kind
we used to see found and fixed in 1990s, in small and obviously
security-critical components.

I understand there's probably more than enough security response work to
keep the existing security team 100% busy, so maybe another sub-team is
needed for this - or it can be outsourced, e.g. to Qualys or Openwall. ;-)

The recent ABRT and apport findings by Tavis Ormandy and these userhelper
and libuser findings by Qualys suggest that what's now known as Secure
Software Development Life Cycle (S-SDLC) is missing at both Red Hat and
Canonical.  Will this change?


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.