Re: CVE request (and disclosure): ax25d missing setuid return code check

[Eren Türkay <eren () pardus org tr>]

On Tue, Aug 09, 2011 at 11:33:04PM -0400, Dan Rosenberg wrote:
> The AX.25 daemon (ax25d), typically provided in the ax25-tools
> package, allows administrators to associate incoming AX.25, NET/ROM,
> and ROSE traffic with the execution of an endpoint program (most
> commonly "node"), which is run under a specified user account.
> Because ax25d is missing a check on the return code for a setuid call
> responsible for dropping privileges to the specified user, it may be
> possible to cause setuid to fail, after which the chosen program will
> be executed with root privileges.  In other words, if you're in the
> business of handing out unprivileged shells over amateur radio (don't
> we all? :p ), this would allow for remote compromise.

Hello,

Thank you for your investigation on the topic. Although this issue seems
to be low-priority, it's good to let the maintainers know.

I'm CCing Ralf Baechle, and Thomas Osterried who, accordingly to
linux-ac25 site, are the maintainers of ax25 utilities.

> -Dan

-- 
        . 73! DE TA1AET

Attachment: _bin
Description: