Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 06:09:10 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-5224 login-utils: file name collision due to incorrect
 mkstemp use

Dear List,

A CVE-ID and a patch have just been issued for a vulnerability that we
discovered in util-linux (while investigating the libuser bugs):

CVE-2015-5224 login-utils: file name collision due to incorrect mkstemp use
https://github.com/karelzak/util-linux/commit/bde91c85bdc77975155058276f99d2e0f5eab5a9

If the chfn and chsh binaries (both setuid-root) from
util-linux/login-utils are compiled WITHOUT libuser support, they
eventually call mkostemp(localtmp, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC);
where localtmp is "/etc/%s.XXXXXX" and %s is __progname (i.e., argv[0]'s
basename).

An attacker could repeatedly execve chfn as "ld.so" until mkostemp()
creates "/etc/ld.so.preload" (after a few days, in our tests).  This
particular example doesn't actually work, because "preload" is 7 chars
and "XXXXXX" is 6 chars, but it seems there are other interesting
possibilities, like "/etc/rc.status" and "/etc/krb5.keytab".

The impact of this vulnerability is probably very limited: most Linux
distributions ship either the chfn/chsh binaries from the shadow-utils
(NOT the login-utils ones), or the login-utils ones but WITH libuser
support.

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.