oss-sec mailing list archives

Re: CVE request: oping allows the disclosure of arbitrary file contents

From: Tomas Hoger <thoger () redhat com>
Date: Mon, 16 Nov 2009 22:51:16 +0100

On Thu, 15 Oct 2009 15:15:57 +0200 Julien Tinnes <jt () cr0 org> wrote:

in case anyone cares, oping also attempts to drop privileges with
setuid(getuid()); without checking setuid()'s return value.

It's an obvious vulnerability, because a local attacker can make
setuid() fail by setting a resource limit of 0 for RLIMIT_NPROC with
setrlimit().


Does the RLIMIT_NPROC trick work against oping, or any setuid app that
calls setuid(getuid())?

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

Re: CVE request: oping allows the disclosure of arbitrary file contents Julien Tinnes (Oct 15)
- Re: CVE request: oping allows the disclosure of arbitrary file contents Josh Bressers (Oct 15)
  - Re: CVE request: oping allows the disclosure of arbitrary file contents Julien Tinnes (Oct 15)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents Josh Bressers (Oct 16)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents Steven M. Christey (Oct 16)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents yersinia (Oct 17)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents Steven M. Christey (Nov 09)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents security curmudgeon (Nov 09)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents Josh Bressers (Nov 09)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents Steven M. Christey (Nov 09)
- Re: CVE request: oping allows the disclosure of arbitrary file contents Tomas Hoger (Nov 16)
  - Re: CVE request: oping allows the disclosure of arbitrary file contents Josh Bressers (Nov 16)
    - Re: CVE request: oping allows the disclosure of arbitrary file contents Tomas Hoger (Nov 17)