Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
The following advisory from securesoftware@list.cr.yp.to is for an older version of uml-utilities, but I've verified that it still works: Date: 15 Dec 2004 08:32:41 -0000 From: "D. J. Bernstein" <djb@cr.yp.to> Subject: [local] [kill] uml-utilities 20030903 uml_net slip_down() fails to check +permissions To: securesoftware@list.cr.yp.to, user-mode-linux-devel@lists.sourceforge.net X-HELOcheck: OK: FQDN Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Mail-Followup-To: securesoftware@list.cr.yp.to, user-mode-linux-devel@lists.sourceforge.net Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. Danny Lungstrom, a student in my Fall 2004 UNIX Security Holes course, has discovered that uml_net, when installed setuid root (as is normal), allows any local user to type ./uml_net 4 slip down eth0 to take down the computer's Ethernet connection. The connection stays down until the system administrator manually brings it back up. I'm publishing this notice, but all the discovery credits should be assigned to Lungstrom. The underlying bug is that, in slip.c, slip_down() has no idea whether the user is actually allowed to take down the specified interface. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Sascha, thanks for entering all these and verifying this one :)
====================================================== Candidate: CAN-2004-1295 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1295 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/uml-utilites.txt The slip_down function in slip.c for the uml_net program in uml-utilities 20030903, when uml_net is installed setuid root, does not verify whether the calling user has sufficient permission to disable an interface, which allows local users to cause a denial of service (network service disabled). ======================================================
Start of discussion on the fix on uml-devel @ http://marc.theaimsgroup.com/?t=110309975100003&r=1&w=2
Upstream just published patches : http://marc.theaimsgroup.com/?l=user-mode-linux-devel&m=111017058101508&w=2 Time for us to bump. Ccing base-system (listed in metadata.xml, sorry) and tantive (last bumper).
johnm: did you have time to look into this ?
fixed in cvs.
Stable on all affected arches... security please vote on GLSA.
1/2 vote NO
I vote NO.
Closed without GLSA, reopen if you disagree
