Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8d61536b-717a-444a-9649-fe6898b04e8e@oracle.com>
Date: Tue, 3 Jun 2025 10:16:52 +0200
From: Vegard Nossum <vegard.nossum@...cle.com>
To: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>,
        Qualys Security Advisory <qsa@...lys.com>
Subject: Re: Local information disclosure in apport and
 systemd-coredump


On 03/06/2025 06:05, Solar Designer wrote:
> With the PID range reduced from the default of 4M down to 2K, PID reuse
> is quick even with simple fork().  I am getting frequent unix_chkpwd
> coredumps (without password hashes in them, which is as expected without
> inotify), but none of them are getting ACLs set for read by the user
> (unexpected - I thought I'd win this easier race once in a while), e.g.:

I admit I didn't look very closely at the specifics of this bug but
maybe you could use a setpid() technique like this one?

"""
newgrp: fix potential string injection

Since newgrp is setuid-root, any write() system calls it does in order
to print error messages will be done as the root user.

Unprivileged users can get newgrp to print essentially arbitrary strings
to any open file in this way by passing those strings as argv[0] when
calling execve(). For example:

     $ setpid() { (exec -a $1$'\n:' newgrp '' 
2>/proc/sys/kernel/ns_last_pid & wait) >/dev/null; }
     $ setpid 31000
     $ readlink /proc/self
     31001

This is not a vulnerability in newgrp; it is a bug in the Linux kernel.

However, this type of bug is not new [1] and it makes sense to try to
mitigate these types of bugs in userspace where possible.

[1]: https://lwn.net/Articles/476947/
"""

https://github.com/shadow-maint/shadow/commit/9df4801e0b65073cc8a9031b22a73532ef7fdc2c


Vegard

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.