Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 133615
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 133615 depends on: Show dependency tree
Bug 133615 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-05-17 09:50 0000 
Reported by Solar Designer on V-S:

This is regarding the patch at:

http://cvs.pld.org.pl/shadow/src/useradd.c?r1=1.50&r2=1.51

with the commit message:

"useradd: fixes a potential security problem when mailbox is created in
useradd.
Patch and comment by Koblinger Egmont <egmont@uhulinux.hu>:
Only two arguments are passed to the open() call though it expects three
because O_CREAT is present. Hence the permission of the file first becomes
some random garbage found on the stack, and an attacker can perhaps open
this file and hold it open for reading or writing before the proper
fchmod() is executed. (Actually, we could also pass the final "mode" to
the open() call and then save the consequent fchmod().)"

which is now being tracked as CERT VU#312962.

The patch forgets to check the return value from fchown() before
proceeding with the fchmod().  We've got a better version of the patch
(essentially a re-implementation of this functionality) here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-create-mailbox.diff?rev=HEAD

As far as I can recall, this re-implementation is originally by Rafal
Wojtczuk and it's been in Owl since 2001:

* Wed Aug 21 2001 Rafal Wojtczuk <nergal-at-owl.openwall.com>
- fixed mailbox creation, which was wrong in rh patch

(actually committed into Owl in November, 2001).

Also, no, it would not be safe to pass the final mode into open() right
away.  That would open up a race condition, too, where the file might be
read/writable by group root instead of group mail for a moment.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-05-18 08:51:02 0000 ------- 
vpaier, you are in base-system herd, mind to take a look?

------- Comment #2 From SpanKY 2006-05-26 00:03:16 0000 ------- 
this isnt CONFIDENTIAL as it's been merged in upstream cvs

ive grabbed the upstream fix and added shadow-4.0.15-r2:
http://cvs.pld.org.pl/shadow/src/useradd.c?r1=1.93&r2=1.94

------- Comment #3 From Thierry Carrez (RETIRED) 2006-05-30 11:32:23 0000 ------- 
archs please test and mark shadow-4.0.15-r2 stable

------- Comment #4 From Markus Rothe 2006-05-30 12:23:51 0000 ------- 
stable on ppc64

------- Comment #5 From Luca Barbato 2006-05-30 13:28:52 0000 ------- 
Marked ppc

------- Comment #6 From Chris Gianelloni (RETIRED) 2006-05-30 14:22:56 0000 ------- 
Oh yeah... amd64/x86 done... (sorry for the bug spam)

------- Comment #7 From Gustavo Zacarias (RETIRED) 2006-05-30 14:26:21 0000 ------- 
sparc stable.

------- Comment #8 From Markus Ullmann 2006-05-30 15:18:02 0000 ------- 
ARM done

------- Comment #9 From Thomas Cort (RETIRED) 2006-05-31 20:39:29 0000 ------- 
alpha stable.

------- Comment #10 From René Nussbaumer 2006-06-03 02:45:30 0000 ------- 
stable on hppa

------- Comment #11 From Sune Kloppenborg Jeppesen 2006-06-07 07:23:58 0000 ------- 
GLSA 200606-02

------- Comment #12 From Joshua Kinard 2006-07-08 20:54:11 0000 ------- 
The mips team doth annoint this bug with the Mark of Stability +1.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug