oss-sec mailing list archives
Re: Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed]
From: Simon McVittie <smcv () debian org>
Date: Fri, 06 Jun 2014 13:12:45 +0100
On 06/06/14 03:51, Jeffrey Walton wrote:
It looks like Rage Against The Cage has been rediscovered. Also known as Android ADB Setuid bug.
It appears to be the same class of implementation error (calling setuid() without checking whether it succeeded) in a different codebase - analogous to the way lots of codebases have an off-by-one buffer overflow, without off-by-one buffer overflows all being rediscoveries of the same bug. If something invokes bash (e.g. via system()) with untrusted input while setuid, I would argue that that's a vulnerability in the invoking process; the fact that bash tries to drop privileges is a hardening measure (attempting to mitigate other projects' vulnerabilities). So I'd characterize this as "bash had a hardening measure that doesn't work as well as it was meant to". It's still a bug, and it would still be good if the maintainers of bash fixed it so it could mitigate future vulnerabilities. In my view, setuid[1] processes are the ones doing something unusual and risky, so the onus should be on the authors of setuid code to: * consider whether it actually needs to be setuid * if it does, implement it securely * drop privileges as soon as feasible * avoid using libraries that are not designed and documented to be setuid-safe, at least until after privileges have been irrevocably dropped (that last point is not relevant here but is relevant in general) S [1] or setgid, or setcap +ep
Current thread:
- Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 03)
- Re: Bug in bash <= 4.3 [security feature bypassed] Steve Grubb (Jun 03)
- Re: Bug in bash <= 4.3 [security feature bypassed] Jose Carlos Luna Duran (Jun 04)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 04)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Jeffrey Walton (Jun 05)
- Re: Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Simon McVittie (Jun 06)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] Hector Marco (Jun 04)
- Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed] lists (Jun 05)