Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 18 Apr 2021 14:51:52 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: xscreensaver package caps gets raw socket

On Sat, Apr 17, 2021 at 09:51:38PM -0300, Érico Nogueira wrote:
> Em 17/04/2021 11:31, Tavis Ormandy escreveu:
> >Summary of discussion so far:
> >
> >- In theory, mesa support running in a privileged context, their
> >   documentation says they disable dangerous features in setuid/setgid
> >   binaries:
> >
> >     https://mesa-docs.readthedocs.io/en/latest/egl.html
> >
> >   In fact, this is broken because they only check if (geteuid() !=
> >   getuid()) { ... }. That check doesn't even handle setgid, let alone file
> >   caps. If mesa agree this is a bug, simply changing their checks to if
> >   (getauxval(AT_SECURE)) { ... } might make this bug go away, and handle
> >   file caps and setgid for free. I filed a bug for that, but there
> >   hasn't been a response:
> >   https://gitlab.freedesktop.org/mesa/mesa/-/issues/4549
> 
> The linked issue appears to be private... Not sure it makes sense, since 
> the problem has been explained in this public email. FWIW, libglvnd has 
> the same issue, though it at leasts (E)GID as well. Sending it here 
> because I couldn't find a security contact.
> 
> https://github.com/NVIDIA/libglvnd/blob/acc654454867c7cdd681cc1f60f858bcd6e5e729/src/EGL/libeglvendor.c
> 
>     if (getuid() == geteuid() && getgid() == getegid()) {
>         env = getenv("__EGL_VENDOR_LIBRARY_FILENAMES");
>     }
> 
> I will look into opening an issue with them and finding a fix.

Related:

https://www.openwall.com/lists/oss-security/2019/12/04/6

"search for LIBGL_DRIVERS_PATH finds that Mesa appears to have the same
issue, and it also finds that we should also search for GBM_DRIVERS_PATH
(apparently, for older Mesa) and maybe EGL_DRIVERS_PATH and EGL_DRIVER,
and LIBVA_DRIVERS_PATH and LIBVA_DRIVER_NAME.  There are probably more."

> Using `secure_getenv` in some of these cases would probably work as well 
> as checking `getauxval(AT_SECURE)`, especially because it seems (from my 
> quick search over at <https://man.bsd.lv>) that both are Linux specific 
> anyway.
> 
> It would be nice to define a `is_privileged_context()` function that 
> works on most platforms to be shared across projects or used as a 
> library.

Historically, that's __libc_enable_secure on glibc (although if
secure_getenv() does what's needed in a given context, then you don't
need to use __libc_enable_secure directly) and issetugid(2) on OpenBSD.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.