[Pkg-shadow-devel] Pre-approval for shadow 1:4.1.1-6

Nicolas François nicolas.francois at centraliens.net
Sat Nov 15 09:25:31 UTC 2008


Hi,

On Sat, Nov 15, 2008 at 01:43:30AM +0100, Florian Weimer wrote:
> * Nicolas François:
> 
> > Release Managers, Security Team:
> > Do you want 505071 to be fixed also for Lenny?
> 
> Do you mean "etch" instead of "lenny"?

No, I really meant "Lenny" for 505071.
For 505271, I assumed it requires a fix for Lenny, and probably for
Etch.

In 505071, the problem is if I insert utmp entries for every possible PID,
with an ut_line pointing, for example, to /dev/null. Then is_my_tty will
fail, and login will be denied (until reboot).
login selects the first utmp entry (checkutmp) which matches with the PID,
but validate the ut_line much later (is_my_tty). One possible fix would be
to move is_my_tty in checkutmp to avoid being disturbed by un-closed
entries and select (or build) the right entry is the first place.

> We'd probably release a DSA once there's a patch which has some track
> record, but as far as I can tell, the issue has not been fully
> analyzed yet.  You guard against a symlink attack, but you don't seem
> to ensure that the TTY name retrieved from the utmp file is correct in
> the first place.

Before the extract of the patch, is_my_tty is called.
This ensure that tty (retrieved from utmp) and STDIN_FILENO refers to the
same device.
The is_my_tty check is kept, isn't it sufficient?

What the patch fixes is, if tty is a symlink, I really change the
ownership/mode of the device, not of tty, which may have changed since the
call to is_my_tty.

I split the two bugs because the I did not consider the DOS issue serious
enough, and the fix will have a bigger impact.
But if Security Team wants the fix for Lenny, and Etch, then I can prepare
a patch.

Best Regards,
-- 
Nekral



More information about the Pkg-shadow-devel mailing list