Date: Wed, 20 Jul 2016 11:14:53 -0400 (EDT) From: cve-assign@...re.org To: krahmer@...e.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: subuid security patches for shadow package -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > 1) Removing getlogin() to find out about users. > It relies on utmp, which is not a trusted base of info (group writable). Possibly the concern is that the utmp entry might have a spoofed username associated with the correct uid, and the attacker's goal is to obtain unauthorized group privileges. We have not studied the code in detail, but shadow-4.2.1/src/newgrp.c seems to have this sequence of calls: pwd = get_my_pwent (); [ note that this calls getlogin ] grp = xgetgrgid (pwd->pw_gid); gid = grp->gr_gid; setgid (gid) Use CVE-2016-6251 for the potentially unsafe use of getlogin. > there was a *int overflow*, which can be > tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed) > which produces no error but tries to write large "count" values to the uid_map > file >> After checking some kernels, it looks like this int wrap is exploitable as a LPE, >> as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) >> as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire >> different view on the upper and lower bounds, making newuidmap overflow (and pass) >> and still being in bounds inside the kernel. >> >> So everyone shipping newuidmap as mode 04755 should fix it. :) shadow-4.2.1/src/Makefile.in has: suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap Use CVE-2016-6252 for the incorrect integer handling. > From: ebiederm@...ssion.com (Eric W. Biederman) > > Adding the shadow-development list, so there is a chance other people > familiar with the code can comment as well. There are no replies yet after the http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2016-July/011017.html post. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXj5TsAAoJEHb/MwWLVhi2x6cP/1MqBp/UizSC/Omsgd08miga HwWaU2OmWD+3eXXvyHMevNaAKrtgk385Hb7anlZmFL3g+qveQ6z1mlfpOM0RnzP2 1Ugbuj6MWNva98dHEXXIqfl1imsXmUJVsFGZcDZ6lHiLjCDiwWWs6F6R+N3dNKDn dxcG70pxp8Id63Gednmfv+kzE8STW6cephtY7Iwm2YDBrWfVuDbuNMYOODnfv3Sq CPN+U+NrzFmZONMOyhsq0FxhPRYSEAiM2Z90su0p1hLXW+OEJ4r/2ntPgbOoaN2y jUEFLlsDLrQqTjyhq+l6APHwR+v4riLqdCpen6Mu/p1d6IY880jjWpLAxX02mQw1 55o00PaKHutIusR7CJo+6GnYeL+DqViUB6ROwZhvScxsFDp/qug3awgjPr5BY4Pk MtawRi5Ul5lvn1vZiHTnBFjPsg1GrBKSWHtI51wnyPdm/R75AwriHBEVZvBJAczh ej7WFm0aNg6HfTIJsUWkqP27n7BYjukGYC6ntbDX+TBPLeRC4f9bhqPAHtDsVvRm zGaPylqu7hskxe5vb8fkht37jgjBgxn2cAcaPmT8vYR4eFqYk3oKP+ON4vON+nbD 6ofFyLMqTgzKJySLDsOKZ0nYbIsxceJzqEuwMyl/q9QEbhEop0rFq0UmeppUoZg3 3bg8yO0WagWNIOKO+lEd =+wdJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.