oss-sec mailing list archives
Re: CVE Request: powerdns does not clear supplementary groups
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 25 May 2012 11:55:50 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/24/2012 04:56 PM, Solar Designer wrote:
On Thu, May 24, 2012 at 06:15:53PM -0400, Steve Grubb wrote:Here is a real life case: + if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 || + setuid(pw->pw_uid) != 0 ) This is not upstream. This is a patch to drop capabilities by changing uid/gid. The person writing the patch intended to do the right thing - but failed. See the bug? This is in a network facing daemon that parses untrusted network packets.Wow. The NULL results in group 0 being added to the supplementary groups list (so it survives the setgid(), at least on my quick test). How did you spot this? Compiler warning? "passing arg 2 of `initgroups' makes integer from pointer without a cast" Alexander
Ok this part I did not know, so this is an obvious trust boundary violation (the intention was to drop privileges but it instead ADDS root privileges). Please use CVE-2012-2653 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPv8emAAoJEBYNRVNeJnmTOS0P/Auu3FH4/CL9HEk9cDlZI7yV CdwfjVCE9TbNq+0eGLMNqdcYHB480oKRiv2Hz+qRbZKEzsUkiFPz4AdC/OvYfb2J ZuI8qqj3vNHCARr8O522rom0InfmIDhFgbq/b5Hde08B80C7s6p15j6tOet8YT8r b7deG21Z5GZ0AmEPxKB0Y2nXrOG6ahkVXg2sRTVE6vE22yleS7k6tSw6cTBichoa F1weUygQxEKRtKIawr6e9Kr39xQepBBxhnUQMSnQiZgDYT/fW4QTCDD/Z+IiY51Q H+dUMKV/oqFIcXy4ht0sdq12dABuZ6+06BwC7oS/pMeDebAOIAybDqvNcnrEk1fw rJt/ZS+Rxbk7b6jdNeTskOlRtKOZkGz+Bs1uMcZhPXVmcNpv1pbq70AJHIwD1E2X LPYQS30xiGqfIdcGGZ9qbfwrPHXCydQdA5M1nqncV5PkqmHqDqsjjnzyCot7UqE4 3t4+ycwZM0OO5Rcy5ia4wl0dgzW/TsxICapjz2fP120uXIE/WrAB1SX7pMoUq/c2 brzDdIbiiGcgrEaf4kQ59gwLSvRBSyeZCpc2eVIwxyEqFJs77HkdhTvd4/D/wIN5 KcqpOhiVNfJvZ8IfcaAwE+ynOJNdRajAJdBLDdx3YsyYNFDZsH4ZQIERDKlYE+N/ g4nRuNmNSs/QLf+8hN7f =vkqb -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request: powerdns does not clear supplementary groups, (continued)
- Re: CVE Request: powerdns does not clear supplementary groups Miloslav Trmac (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups David Black (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Miloslav Trmac (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Christos Zoulas (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Peter van Dijk (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)