oss-sec mailing list archives

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: Solar Designer <solar () openwall com>
Date: Thu, 30 Jul 2015 06:29:28 +0300

On Thu, Jul 23, 2015 at 10:09:54AM -0700, Qualys Security Advisory wrote:

Qualys Security Advisory

CVE-2015-3245 userhelper chfn() newline filtering

CVE-2015-3246 libuser passwd file handling


--[ Summary ]-----------------------------------------------------------------

The libuser library implements a standardized interface for manipulating
and administering user and group accounts, and is installed by default
on Linux distributions derived from Red Hat's codebase. During an
internal code audit at Qualys, we discovered multiple libuser-related
vulnerabilities that allow local users to perform denial-of-service and
privilege-escalation attacks. As a proof of concept, we developed an
unusual local root exploit against one of libuser's applications.


Excellent work, Qualys!

However, this brings up the question: why didn't Red Hat do a security
audit of this software they developed before putting it into their
distros?  I think Red Hat's own security team would have spotted these
issues if it were tasked with proactive security audits of internally
developed software (or of small yet critical components like this)
rather than only(?) with security response.  (I am writing this without
knowledge of how Red Hat's security team operates internally.  I am
merely guessing.)  These are not some subtle bugs that one could easily
overlook in a large codebase.  These are clear design flaws, of the kind
we used to see found and fixed in 1990s, in small and obviously
security-critical components.

I understand there's probably more than enough security response work to
keep the existing security team 100% busy, so maybe another sub-team is
needed for this - or it can be outsourced, e.g. to Qualys or Openwall. ;-)

The recent ABRT and apport findings by Tavis Ormandy and these userhelper
and libuser findings by Qualys suggest that what's now known as Secure
Software Development Life Cycle (S-SDLC) is missing at both Red Hat and
Canonical.  Will this change?

Alexander

Current thread:

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- - - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
    - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)
  - Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Stephan Wiesand (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser gremlin (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Qualys Security Advisory (Jul 31)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Jeff Collins (Jul 27)