oss-sec mailing list archives
Re: CVE request - sudoers on Red Hat, Fedora, Mageia information disclosure
From: cve-assign () mitre org
Date: Thu, 25 Aug 2016 10:09:32 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://bugzilla.redhat.com/show_bug.cgi?id=1339935
The inclusion of "INPUTRC" in env_keep in /etc/sudoers allowed information disclosure through readline-enabled programs parsing the named file with elevated privileges. Local users with sudo access could read (portions of) specially-formatted files with elevated privileges.
This flaw is distribution-specific - upstream sudo does not include INPUTRC
RHEL and Fedora by default include INPUTRC in /etc/sudoers, exposing this issue to users of the default sudo configuration. INPUTRC should not be included in "env_keep" at all, or else somehow restricted to non-restricted shells (ie /bin/sh, /bin/bash). It is also possible to cause segmentation fault through stack exhaustion in the target application by having INPUTRC specify a file with an $include directive for itself.
Use CVE-2016-7091. The scope of this CVE is the entire 'INPUTRC should not be included in "env_keep" at all, or else somehow restricted' problem, which has both the information disclosure and segmentation fault outcomes.
https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00012.html
Since there is already current_readline_init_include_level, maybe implementing a max level for $include's would be worthwhile.
I'll consider it for the next version.
If there is a reason that this must also be considered a vulnerability in readline, please let us know. For example, maybe there are other common programs that accept an INPUTRC environment variable over the network during a login session for an authenticated attacker who is only supposed to be able to execute a single command. Suppose that this attacker can also create files beginning with $include (e.g., by writing to a shared filesystem or using FTP upload). The unlimited include level might allow much more resource consumption than intended. Another possibility is that the INPUTRC environment variable could specify a file that should not be read by this type of restricted account, e.g., the /dev/zero file. However, we do not know of a realistic attack scenario in which readline would be considered the vulnerable software. There are no other CVE IDs -- either for readline or for any other software -- at this time. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXvvuFAAoJEHb/MwWLVhi2ucMQAKsQXvK2gNQ6/9pOTw4h8S/o 9W2+DM+LsA2SgVI5IpsACmQqMTWN2mCPuSL/+Ba6PD7Tcda0TA7wsqfgw0kIJUEr etlI9ifWlCwWjpO9mwhPmJAPLPj2AX65JcbdTZpEK472zJNdeF8R4+QA+FJ9y4+G /UCkSRiH826E96shfmqadYaztcNLRtIfCgmXSiHsaRrkTyGKYIyQMynqxoqrG8Qg tztX0rIs9oMG+1BqHdJU+aV2vHnGMTRnqoVW7oPObsfTrgBzJrMNOyoY33ZpNDMQ GWzySg09zPt0qayktjA/tuqdkNEswq1Qirmr7Ai8rODuHBdK9+oJGMTuqC1NmaAr ZSilLQl1mnwgPMXD9THK2Dui7th4WCPEB+pp+zQ0uDogpuknzzwuftZLuYrHPFsp WsGiE7bEy4Uh1LK0ROLsd23bXuoYaIBj/iiQNUoEDckQYBuZRn0ZCYXyVjL7guLh ApQ4j5zYt++h0TzolF1t+2fw3SrCVuV4OE0gdmkcaDWCVgwvc/s/+ADZJUlongG3 VTFzG8iy4gJ8F+JOrJS7qX0g+wykDtDSqPfuDAhzgkQyS6MHwOJMM8g6UtsUlyYE LY8CaZJpLMNSf1+NbLzoHpaMt0Vys+cHOiBvwDfvwlseR9Wd91xDAOFcgxEAr8Av GulJIV7CVPniP8lUCUhY =B2yA -----END PGP SIGNATURE-----
Current thread:
- CVE request - sudoers on Red Hat, Fedora, Mageia information disclosure Doran Moppert (Aug 24)
- Re: CVE request - sudoers on Red Hat, Fedora, Mageia information disclosure cve-assign (Aug 25)