Re: CVE Request -- libgssapi, libgssglue -- Ability to load untrusted configuration file, when loading GSS mechanisms and their definitions during initialization

[Marcus Meissner <meissner () suse de>]

On Fri, Aug 12, 2011 at 09:37:19PM +0200, Tomas Hoger wrote:
> On Mon, 25 Jul 2011 08:57:10 +0200 Sebastian Krahmer wrote:
>
> > On Fri, Jul 22, 2011 at 03:56:22PM -0400, Josh Bressers wrote:
> > > I presume this only needs one ID
> > >
> > > Use CVE-2011-2709
> >
> > You probably speak about:
> >
> > http://www.suse.de/~krahmer/libs-vs-fscaps/
>
> I believe Josh was referring to libgssapi and libgssglue mentioned in
> the subject.  It's the same code in both, libgssglue is libgssapi
> renamed.
>
> Would you mind sharing the patch you used in SLE packages?  It does not
> seem to have been fixed in OpenSUSE yet.  Thanks!

I just did a basic uid check.

Index: libgssglue-0.1/src/g_initialize.c
===================================================================
--- libgssglue-0.1.orig/src/g_initialize.c
+++ libgssglue-0.1/src/g_initialize.c
@@ -34,6 +34,8 @@
 #include <ctype.h>
 #include <errno.h>
 #include <syslog.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #ifdef USE_SOLARIS_SHARED_LIBRARIES
 #include <dlfcn.h>
@@ -195,7 +197,8 @@ static void solaris_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
        filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {
@@ -270,7 +273,8 @@ static void linux_initialize ()
     void *dl;
     gss_mechanism (*sym)(void), mech;
 
-    if ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)
+    if ((getuid() != geteuid()) ||
+        (filename = getenv("GSSAPI_MECH_CONF")) == NULL)
        filename = MECH_CONF;
 
     if ((conffile = fopen(filename, "r")) == NULL) {