Re: Re: Problems in automatic crash analysis frameworks

[Tavis Ormandy <taviso () google com>]

On Tue, Apr 14, 2015 at 1:35 PM, Tavis Ormandy <taviso () google com> wrote:
> On Tue, Apr 14, 2015 at 9:02 AM, Marc Deslauriers
> <marc.deslauriers () canonical com> wrote:
> > Hi,
> >
> > On 2015-04-14 11:55 AM, cve-assign () mitre org wrote:
> > > This is mostly a question for the persons who assigned CVE-2015-1318
> > > and CVE-2015-1862. Should these CVE assignments be interpreted to
> > > mean:
> > >
> > >   CVE-2015-1318 - in Apport, an unprivileged user can use a
> > >                   namespace-based attack because there is an execve by
> > >                   root after a chroot into a user-specified directory
> >
> > Yes, I assigned CVE-2015-1318 to that specific issue in Apport.
> >
> > Marc.
>
> It looks like this is the patch for Apport:
>
> http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943#data/apport
>
> It's far more complicated than I expected, and not obviously correct.
> It could probably use some review, I'll think about it today.
>
> Tavis.

Wait, my first thought is that it's not obvious to me that
/proc/net/unix is guaranteed to be newline delimited, newline is a
perfectly valid name in a filename, no?

> > > import socket
> > > socket.socket(socket.AF_UNIX, socket.SOCK_STREAM).bind('test\ntest')
> > > sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
> > > sock.bind('/tmp/foo\nbar')
> > > sock.listen(1)

$ grep -A1 foo /proc/net/unix
0000000000000000: 00000002 00000000 00010000 0001 01 4772228 /tmp/foo
bar