|
Message-ID: <20150417180907.GA26856@openwall.com> Date: Fri, 17 Apr 2015 21:09:07 +0300 From: Solar Designer <solar@...nwall.com> To: musl@...ts.openwall.com Cc: Matt Johnston <matt@....asn.au> Subject: Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] Rich, You dropped the copy to Matt on the previous reply. I've re-added it. On Fri, Apr 17, 2015 at 02:03:25PM -0400, Rich Felker wrote: > On Fri, Apr 17, 2015 at 01:23:27PM -0400, Rich Felker wrote: > > And wow, this is an utter mess. Not only does dropbear fail to drop > > root before processing forwards; it NEVER drops root at all. The > > user's session remains running as root for its full lifetime. Aside > > from being a huge risk, it also allows users to bypass uid-based > > firewall rules via port forwarding; for example, a rule that forbids > > normal users from making outgoing connections on port 25 would not be > > honored. > > > > Is there any reason for not performing the setgroups/setgid/setuid > > immediately after authentication succeeds? Have you looked at whether > > it would be easy to patch that in? > > Simply copying/moving the code from svr-chansession.c's execchild to > svr-auth.c's send_msg_userauth_success seems to fix the entire issue. > I had to disable the (useless on systems with proper pty support) > chown/chmod for the pty, but otherwise it seems to be working fine. I guess changes like these should be upstream'ed. Matt? Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.