Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
On Tue, Jan 09, 2001 at 01:41:41PM +0100, Christoph Baumann wrote:
> On Tue, Jan 09, 2001 at 11:08:56AM +0000, Julian Gilbey wrote:
> > Most weird. I get this behaviour when running through a setuid root
> > strace, but I don't get the error messages (and hence the content of
> > /etc/shadow) when I don't use strace. I'm still running potato.
>
> I have some more oddities to add.
> When I set RESOLV_HOST_CONF=/etc/shadow and run "fping debian.org" I don't
> get /etc/shadow displayed. Even running it with a +s strace doesn't work.
> But when I use "sudo fping ..." I get /etc/shadow displayed (which
> shouldn't be such a big hole in that case). I too tried it with potato.
Potato is not vulnerable. This is a woody/sid only bug (i.e. glibc
2.1.9x and greater, such as the 2.2 in woody/sid). The bug is not that
it prints this info, but that it uses the env variable even when
suid/sgid. This wasn't supposed to happen, and the actual fix was a
missing comma in the list of secure env vars that were supposed to be
cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF).
Ben
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: