oss-sec mailing list archives
CVE Request: two flaws in hesiod permitting privilege elevation
From: Doran Moppert <dmoppert () redhat com>
Date: Fri, 20 Jan 2017 12:15:14 +1030
Two flaws in Hesiod reported May 2016 - neither has made it into an upstream release yet, but one is fixed in trunk and patches are available for both. Note that glibc is not affected by either of these issues. Originally reported by Florian Weimer. # Weak SUID check allowing privilege elevation Hesiod unsafely checks EUID vs UID in a few places, consulting environment variables for configuration if they match. This could be used for privilege elevation under some circumstances. The fix uses secure_getenv() in place of getenv(). https://bugzilla.redhat.com/show_bug.cgi?id=1332508 https://github.com/achernya/hesiod/pull/9 # Use of hard-coded DNS domain if configuration file cannot be read If opening the configuration file fails, hesiod falls back on a default domain ".athena.mit.edu" to retrieve managed information. A local attacker with the opportunity to poison DNS cache could potentially elevate their privileges to root by causing fopen() to fail. https://bugzilla.redhat.com/show_bug.cgi?id=1332493 https://github.com/achernya/hesiod/pull/10 Thanks, -- Doran Moppert Red Hat Product Security
Attachment:
_bin
Description:
Current thread:
- CVE Request: two flaws in hesiod permitting privilege elevation Doran Moppert (Jan 19)
- Re: CVE Request: two flaws in hesiod permitting privilege elevation cve-assign (Jan 20)