Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87oazlnxtv.fsf@mid.deneb.enyo.de>
Date: Mon, 28 Apr 2014 19:55:08 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: super unchecked setuid (CVE-2014-0470)

Robert's patch, reproduced below, has all the details.

From: Robert Luberda <robert@...ian.org>
Date: Wed, 23 Apr 2014 00:28:19 +0200
Subject: 14 Fix unchecked setuid call

Fix the following issue noticed by John Lightsey:
  super.c does an unchecked setuid(getuid()) when the -F flag
  is supplied pointing to a configuration file to test. This opens
  super up to the RLIM_NPROC style exploits on 2.6 kernels.

The issue was assigned number CVE-2014-0470.
---
 super.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/super.c b/super.c
index abea061..1c21886 100644
--- a/super.c
+++ b/super.c
@@ -849,7 +849,9 @@ by `-o %s' is overridden by file `%s'", *o_file, superfile);
 		     * to the real uid.
 		     */
 		    if (getuid() != 0) {
-			setuid(getuid());
+		        if (setuid(getuid()) == -1)
+		            Error(1, 1, "Can't set uid to %d: ", getuid());
+
 			fprintf(stderr,
     "\t** Since you have supplied a super.tab file that isn't the default,\n");
 			fprintf(stderr,

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.