[Pkg-shadow-devel] [oss-security] Re: subuid security patches for shadow package
Bálint Réczey
balint at balintreczey.hu
Mon Jul 25 09:49:28 UTC 2016
Hi,
While this is not immediately clear from the Shadow homepage the
development continued on GitHub where I have opened two issues
for the two potential security problems:
Incorrect integer handling CVE-2016-6252:
https://github.com/shadow-maint/shadow/issues/27
Potentially unsafe use of getlogin CVE-2016-6251:
https://github.com/shadow-maint/shadow/issues/28
Probably upstream's issue tracker would be the best place
to discuss the fixes in detail. With upstream development
happening on GitHub the pkg-shadow-devel list could host
mostly Debian-packaging releated discussions and probably
not all oss-security subscribers would like to get all the
messages.
Cheers,
Balint
2016-07-25 10:39 GMT+02:00 Sebastian Krahmer <krahmer at suse.com>:
> On Mon, Jul 25, 2016 at 10:03:31AM +0200, Sebastian Krahmer wrote:
>> On Wed, Jul 20, 2016 at 11:48:52PM +0200, Nicolas François wrote:
>> > Hi,
>> >
>> > The first point looks like a non issue to me.
>> >
>> > getlogin() is used to differentiate users with the same UID.
>> > The result of getlogin() is checked: if it returns a username that do not
>> > have the UID returned by getuid(), it will be ignored.
>> >
>> >
>> > Best Regards,
>> > --
>> > Nekral
>>
>> I agree that its not a severe issue. But its dubious code at best.
>> I couldnt even imagine someone would have usernames with different UID's?
>> Maybe such configs should not be encouraged and potential issues with
>> that discussed.
>>
>> My understanding of secure coding is that getlogin() should not
>> be trusted. Having same username with multiple UIDs is also to be avoided
>> IMHO, since its asking for trouble (I dont know if thats some requirement
>> of LSB or POSIX or so?)
>
> Err, sorry. Shared UID, different name (the other way around, thanks Alex).
> But then you are open to GID hopping attacks (as also previously
> pointed out) since you actually _do_ rely on getlogin() trust.
>
> Sebastian
>
> --
>
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer at suse.com - SuSE Security Team
>
More information about the Pkg-shadow-devel
mailing list