Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Apr 2021 14:51:52 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: xscreensaver package caps gets raw socket

On Sat, Apr 17, 2021 at 09:51:38PM -0300, √Črico Nogueira wrote:
> Em 17/04/2021 11:31, Tavis Ormandy escreveu:
> >Summary of discussion so far:
> >
> >- In theory, mesa support running in a privileged context, their
> >   documentation says they disable dangerous features in setuid/setgid
> >   binaries:
> >
> >     https://mesa-docs.readthedocs.io/en/latest/egl.html
> >
> >   In fact, this is broken because they only check if (geteuid() !=
> >   getuid()) { ... }. That check doesn't even handle setgid, let alone file
> >   caps. If mesa agree this is a bug, simply changing their checks to if
> >   (getauxval(AT_SECURE)) { ... } might make this bug go away, and handle
> >   file caps and setgid for free. I filed a bug for that, but there
> >   hasn't been a response:
> >   https://gitlab.freedesktop.org/mesa/mesa/-/issues/4549
> 
> The linked issue appears to be private... Not sure it makes sense, since 
> the problem has been explained in this public email. FWIW, libglvnd has 
> the same issue, though it at leasts (E)GID as well. Sending it here 
> because I couldn't find a security contact.
> 
> https://github.com/NVIDIA/libglvnd/blob/acc654454867c7cdd681cc1f60f858bcd6e5e729/src/EGL/libeglvendor.c
> 
>     if (getuid() == geteuid() && getgid() == getegid()) {
>         env = getenv("__EGL_VENDOR_LIBRARY_FILENAMES");
>     }
> 
> I will look into opening an issue with them and finding a fix.

Related:

https://www.openwall.com/lists/oss-security/2019/12/04/6

"search for LIBGL_DRIVERS_PATH finds that Mesa appears to have the same
issue, and it also finds that we should also search for GBM_DRIVERS_PATH
(apparently, for older Mesa) and maybe EGL_DRIVERS_PATH and EGL_DRIVER,
and LIBVA_DRIVERS_PATH and LIBVA_DRIVER_NAME.  There are probably more."

> Using `secure_getenv` in some of these cases would probably work as well 
> as checking `getauxval(AT_SECURE)`, especially because it seems (from my 
> quick search over at <https://man.bsd.lv>) that both are Linux specific 
> anyway.
> 
> It would be nice to define a `is_privileged_context()` function that 
> works on most platforms to be shared across projects or used as a 
> library.

Historically, that's __libc_enable_secure on glibc (although if
secure_getenv() does what's needed in a given context, then you don't
need to use __libc_enable_secure directly) and issetugid(2) on OpenBSD.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.