Summary: | net-mail/cmd5checkpw is installed setuid, but does not drop euid | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Westphal <westphal> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | net-mail+disabled, robbat2 | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B4 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Florian Westphal
2005-01-16 11:34:26 UTC
Created attachment 48674 [details, diff]
cmd5checkpw: set euid to uid of calling user
net-mail herd, please comment (on the need to be SUID and on the patch) Florian: did you try to contact upstream yet ? I emailed brush@elysium.pl about this a few minutes ago. (same Bugreport + patch) (I thought this was a Gentoo specific bug at first before seeing that upstream docs suggest making cmd5checkpw setuid) Reassigning this as a vulnerability, since it's a clear local information leak. Florian: any answer from upstream ? No reply from upstream until now. The last 'news' item on the project homepage is dated 09.10.2000... net-mail: please comment. Can cmd5checkwp not be setuid ? If not, what do you think of the patch ? langthang asked me to comment on this bug. There we go. Quoting the manpage of cmd5checkpw: FILES /etc/poppasswd - this file contains pairs of logins and clear text passwords separated by ":". It looks like this: login1:password1 login2:password2 Best way to protect it is to make it readable only for one specific user different than you normal system users and make cmd5checkpw suid that user. Therefore, I would say that cmd5checkpw has to be setuid if /etc/poppasswd is only readable by a specific user. But I also think that dropping the effective uid wouldn't hurt. If nobody else (robbat2?) sees a problem in here, we should apply the patch. Robin, what do you think about this patch? Can we apply it? Upstream looks dead... net-mail: please apply the patch or drop the package. The patch is now applied to cmd5checkpw-0.22-r2. The ebuild is currently in ~ARCH for testing. Please test it and comment on this bug again. Then we'll make a stabilization request to all affected architectures. Thx Micheal, reopening for stable marking. Arches please test and mark cmd5checkpw-0.22-r2 stable. x86 stable Stable on ppc and hppa. Stable on alpha. sparc stable. how is this being tested?(noone on amd64 apparently uses it) Mike: I am not a cmd5checkpw user but it looks like a password changing system that will access a /etc/poppasswd (owned by the cmd5checkpw user and -rw-------). Try creating a /etc/poppasswd file with pairs of logins and clear text passwords like this : login1:password1 And validate you can change the password as a regular user. You can also vamidate that the exploit in bug description is no longer working. Stable on mips. stable on amd64 security, pls vote on GLSA need I vote no glsa, please feel free to disagree ;) Local users can get plaintext POP passwords for their coworkers... I vote yes. not absolutely necessary, but a GLSA on this might be a good idea voting for one GLSA 200502-30 arm should park stable to benefit from GLSA |