|
Message-ID: <55328F53.1070705@gmx.de> Date: Sat, 18 Apr 2015 19:07:31 +0200 From: Harald Becker <ralda@....de> To: musl@...ts.openwall.com CC: Matt Johnston <matt@....asn.au> Subject: Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] On 18.04.2015 18:37, Rich Felker wrote: >> @Rich: I still get DNS error (Mozilla Thunderbird) for >> dalias@...c.org, when tying to send mail :( > > Odd. I just verified that Google's 8.8.8.8 resolves it right, so I > don't know what's wrong, but it seems to be on your end. Let me know > if you find anything that looks like a problem on my side. AFAIK, you use a CNAME as MX, which is resolved on some, but not all systems / programs. You need to add an absolute IP address for your MX, not a CNAME, to be accessible for all. A-record lookup is ok (resolved recursive), but MX lookup fails (doesn't do recursive lookup everywhere). >> On 18.04.2015 17:58, Rich Felker wrote: > Well anything that gets code execution in the dropbear session process > would be able to steal the key still. The only added protection you'd > get is is against heartbleed-type attacks (arbitrary memory read but > no code exeution). ACK, ... isn't that bad, to protect against that kind of key steeling, with a very simple solution, and no need to further code restructuring? IMO it is a quick intermediate solution, until someone may be able to restructure key creation code, still giving the possibility to let dropbear drop root privileges completely (except pty/utmp question). >> So consider my suggestion a simpler to implement solution, in >> between having full root privileges or hanging keys in memory, and >> an external process to do the rekey steps (in addition: with the >> possibility to let that process use the dropbear group and not root >> to access keys - even better than let that process hang around as >> root) > > If this external process is setuid/setgid, I consider that a much > bigger vuln. Just to mention: My statement 'separate process' doesn't included or intended a separate suid/sgid program. > It would have to somehow verify that it's being invoked > by a valid dropbear session process and not some other caller that > just wants to use it to steal keys/forge key negotiations, and you > have all the usual issues with setuid programs having to be defensive > about the state they inherit when invoked. I didn't think of an exec to a separate program, but just fork and let a process for key management run in the back. So a bit simpler to verify authentication of caller, but still somehow required ... or what else did you suggest? > If on the other hand the session process just kept gid=dropbear to > open and reload the key, it wouldn't be so bad. That's it, the key creator part doesn't need root privileges for it's operation either. That is just a combination of the two approaches. Harald
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.