oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: Solar Designer <solar () openwall com>
Date: Thu, 30 Jul 2015 06:29:28 +0300
On Thu, Jul 23, 2015 at 10:09:54AM -0700, Qualys Security Advisory wrote:
Qualys Security Advisory CVE-2015-3245 userhelper chfn() newline filtering CVE-2015-3246 libuser passwd file handling --[ Summary ]----------------------------------------------------------------- The libuser library implements a standardized interface for manipulating and administering user and group accounts, and is installed by default on Linux distributions derived from Red Hat's codebase. During an internal code audit at Qualys, we discovered multiple libuser-related vulnerabilities that allow local users to perform denial-of-service and privilege-escalation attacks. As a proof of concept, we developed an unusual local root exploit against one of libuser's applications.
Excellent work, Qualys! However, this brings up the question: why didn't Red Hat do a security audit of this software they developed before putting it into their distros? I think Red Hat's own security team would have spotted these issues if it were tasked with proactive security audits of internally developed software (or of small yet critical components like this) rather than only(?) with security response. (I am writing this without knowledge of how Red Hat's security team operates internally. I am merely guessing.) These are not some subtle bugs that one could easily overlook in a large codebase. These are clear design flaws, of the kind we used to see found and fixed in 1990s, in small and obviously security-critical components. I understand there's probably more than enough security response work to keep the existing security team 100% busy, so maybe another sub-team is needed for this - or it can be outsourced, e.g. to Qualys or Openwall. ;-) The recent ABRT and apport findings by Tavis Ormandy and these userhelper and libuser findings by Qualys suggest that what's now known as Secure Software Development Life Cycle (S-SDLC) is missing at both Red Hat and Canonical. Will this change? Alexander
Current thread:
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)