Date: Mon, 24 Aug 2015 06:09:10 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: CVE-2015-5224 login-utils: file name collision due to incorrect mkstemp use Dear List, A CVE-ID and a patch have just been issued for a vulnerability that we discovered in util-linux (while investigating the libuser bugs): CVE-2015-5224 login-utils: file name collision due to incorrect mkstemp use https://github.com/karelzak/util-linux/commit/bde91c85bdc77975155058276f99d2e0f5eab5a9 If the chfn and chsh binaries (both setuid-root) from util-linux/login-utils are compiled WITHOUT libuser support, they eventually call mkostemp(localtmp, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC); where localtmp is "/etc/%s.XXXXXX" and %s is __progname (i.e., argv's basename). An attacker could repeatedly execve chfn as "ld.so" until mkostemp() creates "/etc/ld.so.preload" (after a few days, in our tests). This particular example doesn't actually work, because "preload" is 7 chars and "XXXXXX" is 6 chars, but it seems there are other interesting possibilities, like "/etc/rc.status" and "/etc/krb5.keytab". The impact of this vulnerability is probably very limited: most Linux distributions ship either the chfn/chsh binaries from the shadow-utils (NOT the login-utils ones), or the login-utils ones but WITH libuser support. With best regards, -- the Qualys Security Advisory team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.