oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: radvd 1.8.2 released with security fixes

From: Vasiliy Kulikov <segoon () openwall com>
Date: Fri, 14 Oct 2011 12:13:39 +0400
Hi Huzaifa,

On Fri, Oct 14, 2011 at 10:15 +0530, Huzaifa Sidhpurwala wrote:

I dont think so. From the code i have read so far, here is what
seems to happen.

- radvd starts as root
- reads the configs
- if a username is specified (user=radvd in most cases):
      - if "--singleprocess" is not specified:
              - run privsep_init(): This forks another process which
                runs as root. So after this point we have two
                processes both running as root
              - If privsep_init() fails, we have just one process
                running as root
      - run drop_root_privileges():
              If this succedes, we have two processes one running as
              root and another as radvd user, or if privsep_init()
              failed earlier, we have one process running as radvd
              user.
              If this fails, application quits
- If username was not specified radvd continues to run as a single
process as root.


So failure in privsep_init() results in just one process running as
radvd user. If it did not fail it would result in one process
running as root and another as radvd user.

I dont think this would be a security issue in my opinion.


Indeed, if privsep_init() fails the only visible change would be no
future changes to interface settings.  I was misled by the option name -
it looks like privsep disabling (opposition to --username), but in
reality it totally disables privileged operations.

Thanks for spotting it, I think CVE-2011-3603 should be rejected.

-- 
Vasiliy
Previous By Date Next
Previous By Thread Next

Current thread: