[Pkg-shadow-devel] Bug#657010: Bug#657010: [login] 'su' should be PIE

Török Edwin edwintorok at gmail.com
Mon Jan 23 19:06:38 UTC 2012


On 01/23/2012 08:53 PM, Nicolas François wrote:
> Hello,
> 
> On Mon, Jan 23, 2012 at 03:06:46PM +0200, edwintorok at gmail.com wrote:
>>
>> See CVE-2012-0056, a non-PIE 'su' binary makes it very easy to exploit.
> 
> Would you mind giving a bit more information?
> 
> I unfortunately stick to this PIE definition from wikipedia:

PIE refers to -fPIE from GCC of course.
Using that flag doesn't completely prevent the exploit though.

>       baked dish which is usually made of a pastry dough casing that
>       covers or completely contains a filling of various sweet or
>       savoury ingredients.
> which does not help understanding how to PIE 'su'.
> 
> Also, I have no access to CVE-2012-0056, which is under review as of
> today.

Here is a good summary and discussions:
https://lwn.net/Articles/476684/

> References I could find indicate an issue in the Linux kernel handling of
> /proc/<pid>/mem
> 
> As of using hardening compiler / linker options, I have no idea if this is
> a common practice / recommended / used in other packages.
> Would it make sense to enable such flags if not done in the PAM modules or
> by other suid programs?
> 

Apparently packages should adopt hardening flags for wheezy:
http://wiki.debian.org/Hardening#State_of_implementation

Best regards,
--Edwin





More information about the Pkg-shadow-devel mailing list