Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 18 Apr 2023 20:41:35 +0800
From: Ruihan Li <lrh2000@....edu.cn>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com, 
	"Todd C. Miller" <Todd.Miller@...o.ws>, Ruihan Li <lrh2000@....edu.cn>
Subject: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized
 management command execution

Hi Solar Designer,

> Thank you Ruihan Li for finding and handling this vulnerability so well,
> and for the detailed write-up.
> 
> When discussing this on linux-distros a week ago, I wrote:

Also thanks to all the people at linux-distro and s@k.o who helped to
improve the final disclosure and patches.

> OTOH, not all distros are typical.  Besides Android, we got rid of all
> SUID binaries in default install of Owl over a decade ago.  While Owl is
> now effectively EOL'ed, some of its legacy lives on in ALT Linux
> distros, which are maintained, and other distros can do similar - it's
> primarily a matter of caring to do it or not.  We did not package sudo
> in Owl, but if someone were to install it then it'd be the only program
> exposing this kernel vulnerability.  So in that case, hardening sudo
> would have helped.

That's good to know. I was wondering if there were distros that did not
have setuid binaries, which was why I said only ``a number of distros''
were vulnerable.

For Steffen Nurpmeso wrote earlier:
> I wonder -- have you verified that they do not use isatty(3) aka
> some tc*() series *first*?  The above with sudo does for example
> not reveal anything as shown, roght?  FD 2 seems to be a terminal,
> .. and whereas i do not have sudo src here, i am sure it uses
> isatty(3) and tcgetattr(3).

I just noticed that sudo added the isatty check a day ago (April 17th)
[1]. I think this change was inspired by this vulnerability, wasn't it?
However, as Jakub Wilk pointed out, isatty is still implemented by an
ioctl call, so the addition of this check has nothing to do with this
vulnerability. Nevertheless, it is still a good idea to make sure isatty
succeeds before using ioctl calls with other (perhaps more complex and
arbitrary) tty commands.

[1]: https://github.com/sudo-project/sudo/commit/5650b436e6ba20807758a4154e709c10c1c87be8 

Thanks,
Ruihan Li

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.