Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 19 May 2020 10:25:25 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: qmail: short/int vs. gid_t

Hi all,

While discussing the qmail vulnerabilities on distros@...nwall, we also
discussed the following issue (which exists in qmail and in related
software such as checkpassword):

On Thu, May 07, 2020 at 05:39:18PM +0200, Solar Designer wrote:
> BTW, how about this piece in qmail 1.03? -
>
> /* XXX: there are more portability problems here waiting to leap out at me */
>
> int prot_gid(gid) int gid;
> {
> #ifdef HASSHORTSETGROUPS
>   short x[2];
>   x[0] = gid; x[1] = 73; /* catch errors */
>   if (setgroups(1,x) == -1) return -1;
> #else
>   if (setgroups(1,&gid) == -1) return -1;
> #endif
>   return setgid(gid); /* _should_ be redundant, but on some systems it isn't */
> }
>
> As you can see, this tries to workaround ancient systems where the size
> of groups array elements might not be reliably known.  However, notice
> that none of the compile-time options uses gid_t.  If the size of gid_t
> doesn't match either "short" or "int" (whichever is chosen at compile
> time above), this might set a wrong supplementary group, especially on
> big-endian architectures.
>
> The workaround with setting two groups array elements is rather common -
> I used that one myself - but it's only safe on modern systems when used
> along with gid_t (so the extra element is guaranteed to be ignored when
> the workaround is unneeded).
>
> You might want to check how this function changed(?) in currently
> maintained qmail forks, and suggest they use gid_t if not already.
>
> I guess original qmail didn't use gid_t so that it'd build on systems
> that don't define this type.  Supporting those systems should be
> unneeded now.

The developers of notqmail have been working on a fix for this issue:

    https://github.com/notqmail/notqmail/pull/72

Thank you very much!

With best regards,

--
the Qualys Security Advisory team


[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>



This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.