oss-sec mailing list archives

Re: CVE Request: powerdns does not clear supplementary groups

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 25 May 2012 11:55:50 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2012 04:56 PM, Solar Designer wrote:

On Thu, May 24, 2012 at 06:15:53PM -0400, Steve Grubb wrote:

Here is a real life case:

+ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid)
!= 0 || +                                setuid(pw->pw_uid) != 0
)

This is not upstream. This is a patch to drop capabilities by
changing uid/gid. The person writing the patch intended to do the
right thing - but failed. See the bug? This is in a network
facing daemon that parses untrusted network packets.


Wow.  The NULL results in group 0 being added to the supplementary 
groups list (so it survives the setgid(), at least on my quick
test).

How did you spot this?  Compiler warning?

"passing arg 2 of `initgroups' makes integer from pointer without a
cast"

Alexander


Ok this part I did not know, so this is an obvious trust boundary
violation (the intention was to drop privileges but it instead ADDS
root privileges).

Please use CVE-2012-2653 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPv8emAAoJEBYNRVNeJnmTOS0P/Auu3FH4/CL9HEk9cDlZI7yV
CdwfjVCE9TbNq+0eGLMNqdcYHB480oKRiv2Hz+qRbZKEzsUkiFPz4AdC/OvYfb2J
ZuI8qqj3vNHCARr8O522rom0InfmIDhFgbq/b5Hde08B80C7s6p15j6tOet8YT8r
b7deG21Z5GZ0AmEPxKB0Y2nXrOG6ahkVXg2sRTVE6vE22yleS7k6tSw6cTBichoa
F1weUygQxEKRtKIawr6e9Kr39xQepBBxhnUQMSnQiZgDYT/fW4QTCDD/Z+IiY51Q
H+dUMKV/oqFIcXy4ht0sdq12dABuZ6+06BwC7oS/pMeDebAOIAybDqvNcnrEk1fw
rJt/ZS+Rxbk7b6jdNeTskOlRtKOZkGz+Bs1uMcZhPXVmcNpv1pbq70AJHIwD1E2X
LPYQS30xiGqfIdcGGZ9qbfwrPHXCydQdA5M1nqncV5PkqmHqDqsjjnzyCot7UqE4
3t4+ycwZM0OO5Rcy5ia4wl0dgzW/TsxICapjz2fP120uXIE/WrAB1SX7pMoUq/c2
brzDdIbiiGcgrEaf4kQ59gwLSvRBSyeZCpc2eVIwxyEqFJs77HkdhTvd4/D/wIN5
KcqpOhiVNfJvZ8IfcaAwE+ynOJNdRajAJdBLDdx3YsyYNFDZsH4ZQIERDKlYE+N/
g4nRuNmNSs/QLf+8hN7f
=vkqb
-----END PGP SIGNATURE-----

Current thread:

Re: CVE Request: powerdns does not clear supplementary groups, (continued)
- - Re: CVE Request: powerdns does not clear supplementary groups Miloslav Trmac (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups David Black (May 25)
  - Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Christos Zoulas (May 24)
    - Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
    - Re: CVE Request: powerdns does not clear supplementary groups Peter van Dijk (May 25)
    - Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)