Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4E968F6A.4090203@redhat.com>
Date: Thu, 13 Oct 2011 12:42:42 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vasiliy Kulikov <segoon@...nwall.com>
Subject: Re: radvd 1.8.2 released with security fixes

On 10/07/2011 04:22 AM, Solar Designer wrote:

> 3) The radvd daemon would not fail on privsep_init() errors, which could
> cause it to run with full root privileges when it should be running as
> an unprivileged user. (CVE-2011-3603)
>

I think this is not an issue at all:

If you look at the unpatched code, in privsep-linux.c, privsep_init() 
can return -1 at two places.

A. if pipe(pipefds) fails
B. If fork() fails

If either of these functions fails, the end result is that there is no 
fork() and radvd runs as a single process.

Now looking at radvd.c


         /* drop root privileges if requested. */
         if (username) {
                 if (!singleprocess) {
                         dlog(LOG_DEBUG, 3, "Initializing privsep");
                         if (privsep_init() < 0)
                                 flog(LOG_WARNING, "Failed to initialize 
privsep.");
                 }

                 if (drop_root_privileges(username) < 0) {
                         perror("drop_root_privileges");
                         exit(1);
                 }
         }


After running privsep_init(), drop_root_privileges() is run, so :

a. if privsep_init() failed and drop_root_privileges() did not fail, you 
end up running a single radvd process running as radvd user, which is 
similar to running "radvd --singleprocess"

b. if privsep_init() failed and drop_root_privileges() failed, you bail 
out of the program, similar to what would happen if privsep_init() did 
not fail.

c. if privsep_init() and drop_root_privileges() did not fail, we have 
two radvd process, one running as radvd user and the other is root

So from what i can see, the maximum harm which would occur if 
privsep_init() fails, is that radvd would effectively run in 
--singleprocess mode





-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.