Summary: | net-dialup/ppp setuid() issue (CVE-2006-2194) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | net-dialup | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.ubuntu.com/usn/usn-310-1 | ||||||
Whiteboard: | C1 [noglsa] Falco | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-07-06 13:30:52 UTC
--> C because it does not affect the default conf (pam limits + winbind plugin) --> *1 because there is a possible privilege escalation i don't understand how CVE can reference ppp 2.4.4 as vulnerable, since from the officiel web site : "ppp 2.4.3 The latest version of ppp is version 2.4.3, released on 14 November 2004." http://samba.org/ppp/ --> setting to [upstream] status. Waiting. C1 -> major, the policy says. I understand that patch available at http://lists.opensuse.org/archive/opensuse-commit/2006-Jun/0117.html fixes this problem. Btw, I find it strange that upstream wasn't informed about it. Can someone enlighten me how could setuid(getuid()) be exploited? If the effective user is root, it will always succeed, isn't so? No, we had a couple of those lately. It's not guaranteed that you can drop privs. If user's process limit is exceeded, for example, dropping fails. If you don't check the return code, your code will run as root as opposed to the unprivileged user you wanted to change to. BTW, good reading IMHO: http://www.csl.sri.com/users/ddean/papers/usenix02.pdf Created attachment 91097 [details, diff]
winbind-drop-privs.patch
Would this patch be OK from the security pov?
Looks ok to me. Any different POVs?
>
> Would this patch be OK from the security pov?
>
it's OK for me
Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is uploaded on our mirrors from dev.g.o:/space/distfiles-local). The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have winbind plugin. > Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is > uploaded on our mirrors from dev.g.o:/space/distfiles-local). good, thanks > The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have > winbind plugin. there will be no glsa then; closing. Thank you for the fastness, Alin. As usual, feel free to reopen if needed. |