[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability

On Tue, Jan 09, 2001 at 01:41:41PM +0100, Christoph Baumann wrote:
> On Tue, Jan 09, 2001 at 11:08:56AM +0000, Julian Gilbey wrote:
> > Most weird.  I get this behaviour when running through a setuid root
> > strace, but I don't get the error messages (and hence the content of
> > /etc/shadow) when I don't use strace.  I'm still running potato.
> I have some more oddities to add.
> When I set RESOLV_HOST_CONF=/etc/shadow and run "fping debian.org" I don't
> get /etc/shadow displayed. Even running it with a +s strace doesn't work.
> But when I use "sudo fping ..." I get /etc/shadow displayed (which
> shouldn't be such a big hole in that case). I too tried it with potato.

Potato is not vulnerable. This is a woody/sid only bug (i.e. glibc
2.1.9x and greater, such as the 2.2 in woody/sid). The bug is not that
it prints this info, but that it uses the env variable even when
suid/sgid. This wasn't supposed to happen, and the actual fix was a
missing comma in the list of secure env vars that were supposed to be
cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF).


/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: