Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150417180907.GA26856@openwall.com>
Date: Fri, 17 Apr 2015 21:09:07 +0300
From: Solar Designer <solar@...nwall.com>
To: musl@...ts.openwall.com
Cc: Matt Johnston <matt@....asn.au>
Subject: Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]

Rich,

You dropped the copy to Matt on the previous reply.  I've re-added it.

On Fri, Apr 17, 2015 at 02:03:25PM -0400, Rich Felker wrote:
> On Fri, Apr 17, 2015 at 01:23:27PM -0400, Rich Felker wrote:
> > And wow, this is an utter mess. Not only does dropbear fail to drop
> > root before processing forwards; it NEVER drops root at all. The
> > user's session remains running as root for its full lifetime. Aside
> > from being a huge risk, it also allows users to bypass uid-based
> > firewall rules via port forwarding; for example, a rule that forbids
> > normal users from making outgoing connections on port 25 would not be
> > honored.
> > 
> > Is there any reason for not performing the setgroups/setgid/setuid
> > immediately after authentication succeeds? Have you looked at whether
> > it would be easy to patch that in?
> 
> Simply copying/moving the code from svr-chansession.c's execchild to
> svr-auth.c's send_msg_userauth_success seems to fix the entire issue.
> I had to disable the (useless on systems with proper pty support)
> chown/chmod for the pty, but otherwise it seems to be working fine.

I guess changes like these should be upstream'ed.  Matt?

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.