Re: CVE request: multiple libraries getenv() misuse

[Solar Designer <solar () openwall com>]

On Tue, May 31, 2011 at 10:21:33AM +0200, Sebastian Krahmer wrote:
> While investigating the libs vs. fscaps issue [1] which showed
> that most libs need patching in order to work properly with fscaps
> binaries, it was also found that a lot of libs do not even honour
> suid binaries correctly. These libs use getenv() to obtain information
> about configuration/files or plugin directories. These info can be
> "chosen with care" by attackers to trick the suid programs to execute
> code as root or do harm otherwise.
> Among these libs are libudev, libdbus, libhal, libgssglue or libcrypto
> (openssl). libudev, libdbus, libhal are linked against suid Xorg.
> libgssglue is linked against mount.nfs.
> Most of these libs were probably never intented to be linked against
> suids, but nevertheless they are.
>
> Since the issues are all of the same family I would suggest to assign
> one CVE (or two, if you want to separate missing fscaps checks from
> euid != uid issue).

I think it'd be a good idea to keep track of these issues per-library on
the wiki:

http://oss-security.openwall.org/wiki/code-reviews

> [1] http://www.suse.de/~krahmer/libs-vs-fscaps/

I got your OpenSSL changes into Owl-current yesterday (except for the
changes to OPENSSL_issetugid() itself, which on Owl was already using
__libc_enable_secure).  The rest of the libraries that you mention are
not in Owl.

Thanks,

Alexander